Apple’s Safari Still a Sitting Duck?

For a typical Windows user, seeing a US-CERT advisory for an OS flaw is not
a rare experience.

Welcome to the party, Mac users. US-CERT has issued a Cyber Security Alert for
you now, too.

US-CERT Cyber Security Alert SA06-053A follows the center’s vulnerability note, which addressed the recently discovered Mac OS X Safari Command Execution Vulnerability.

At press time, the exploit remains unpatched, and, if appropriate
precautions are not taken, it could lead to arbitrary code being run on a Mac
automatically via Apple’s Safari Web browser if a user visits a malicious
site.

An Apple spokesman told internetnews.com that Apple takes security very
seriously and is currently working on a fix so that this doesn’t become
something that could affect customers.

The spokesperson advised that Mac
users should exercise discretion and only accept files from vendors and Web
sites that they know and trust.

There are apparently a few public exploits for the vulnerability currently
roaming at large.

“IDefense has reported on public exploits for this vulnerability, such as
the Metasploit Framework safari_safefiles_exec.pm code,” Ken Dunham
director of the Rapid Response Team at iDefense, told internetnews.com.

Metasploit is an open source tool that greatly simplifies vulnerability testing of exploit
code.

“This increases the likelihood of exploitation, but widespread exploitation
has not been identified to date,” Dunham added.

As previously reported there is at least one workaround for the issue, which
involves disabling automatic file opening on downloads for Apple Safari.

There is however another potential workaround that US-CERT does not include
in its advisory: Use another browser.

Mike Pinkerton, the project lead for the Camino Project, which is a Mozilla Gecko-based browser for Mac, noted that Camino ships with the “open downloaded files” preference set to “off” (whereas Safari
defaults it to “on”).

“While technically that is a workaround, I would say it’s overreacting,”
Pinkerton told internetnews.com. “While we would appreciate the users, we
would prefer it’s because we have a better product, not because of mass
hysteria.”