HomeSecurity

Apple’s Safari Still a Sitting Duck?

Sean Michael Kerner
By Sean Michael Kerner


For a typical Windows user, seeing a US-CERT advisory for an OS flaw is not
a rare experience.

Welcome to the party, Mac users. US-CERT has issued a Cyber Security Alert for
you now, too.


US-CERT Cyber Security Alert SA06-053A follows the center’s vulnerability note, which addressed the recently discovered Mac OS X Safari Command Execution Vulnerability.


At press time, the exploit remains unpatched, and, if appropriate
precautions are not taken, it could lead to arbitrary code being run on a Mac
automatically via Apple’s Safari Web browser if a user visits a malicious
site.


An Apple spokesman told internetnews.com that Apple takes security very
seriously and is currently working on a fix so that this doesn’t become
something that could affect customers.

The spokesperson advised that Mac
users should exercise discretion and only accept files from vendors and Web
sites that they know and trust.


There are apparently a few public exploits for the vulnerability currently
roaming at large.


“IDefense has reported on public exploits for this vulnerability, such as
the Metasploit Framework safari_safefiles_exec.pm code,” Ken Dunham
director of the Rapid Response Team at iDefense, told internetnews.com.


Metasploit is an open source tool that greatly simplifies vulnerability testing of exploit
code.


“This increases the likelihood of exploitation, but widespread exploitation
has not been identified to date,” Dunham added.


As previously reported there is at least one workaround for the issue, which
involves disabling automatic file opening on downloads for Apple Safari.


There is however another potential workaround that US-CERT does not include
in its advisory: Use another browser.


Mike Pinkerton, the project lead for the Camino Project, which is a Mozilla Gecko-based browser for Mac, noted that Camino ships with the “open downloaded files” preference set to “off” (whereas Safari
defaults it to “on”).


“While technically that is a workaround, I would say it’s overreacting,”
Pinkerton told internetnews.com. “While we would appreciate the users, we
would prefer it’s because we have a better product, not because of mass
hysteria.”

Sean Michael Kerner
Sean Michael Kerner
Previous article
Homestore on The ‘Move’
Next article
Google Begins Web Hosting

Similar Posts

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web

InternetNews is a source of industry news and intelligence for IT professionals from all branches of the technology world. InternetNews focuses on helping professionals grow their knowledge base and authority in their field with the top news and trends in Software, IT Management, Networking & Communications, and Small Business.

Advertisers

Advertise with TechnologyAdvice on InternetNews and our other IT-focused platforms.

Advertise with Us

Menu

Our Brands

Property of TechnologyAdvice.
© 2021 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.