RealTime IT News

Apple's Safari Still a Sitting Duck?

For a typical Windows user, seeing a US-CERT advisory for an OS flaw is not a rare experience.

Welcome to the party, Mac users. US-CERT has issued a Cyber Security Alert for you now, too.

US-CERT Cyber Security Alert SA06-053A follows the center's vulnerability note, which addressed the recently discovered Mac OS X Safari Command Execution Vulnerability.

At press time, the exploit remains unpatched, and, if appropriate precautions are not taken, it could lead to arbitrary code being run on a Mac automatically via Apple's Safari Web browser if a user visits a malicious site.

An Apple spokesman told internetnews.com that Apple takes security very seriously and is currently working on a fix so that this doesn't become something that could affect customers.

The spokesperson advised that Mac users should exercise discretion and only accept files from vendors and Web sites that they know and trust.

There are apparently a few public exploits for the vulnerability currently roaming at large.

"IDefense has reported on public exploits for this vulnerability, such as the Metasploit Framework safari_safefiles_exec.pm code," Ken Dunham director of the Rapid Response Team at iDefense, told internetnews.com.

Metasploit is an open source tool that greatly simplifies vulnerability testing of exploit code.

"This increases the likelihood of exploitation, but widespread exploitation has not been identified to date," Dunham added.

As previously reported there is at least one workaround for the issue, which involves disabling automatic file opening on downloads for Apple Safari.

There is however another potential workaround that US-CERT does not include in its advisory: Use another browser.

Mike Pinkerton, the project lead for the Camino Project, which is a Mozilla Gecko-based browser for Mac, noted that Camino ships with the "open downloaded files" preference set to "off" (whereas Safari defaults it to "on").

"While technically that is a workaround, I would say it's overreacting," Pinkerton told internetnews.com. "While we would appreciate the users, we would prefer it's because we have a better product, not because of mass hysteria."