heise online – Apple Safari Browser Automatically Executes Shell Scripts

With the switch to Intel, Apple is suddenly finding itself the target of added scrutiny by security researchers. This latest flaw is actually 2 separate features that are, IMO design flaws that should never have made it into the production version of the OS. Apple, much like Microsoft decided their browser should automatically open certain “safe” file types. Problem is, there is no such thing as a safe file type. The second issue results from 2 features: Apple’s decision to allow the OS to automatically execute scripts, and binary metafiles that are created when you change the extension of a file. (OS X does this so that it still knows what the file is.) Michael Lehn (a Ph.D student at the University of Ulm in Germany) figured out that if you changed the extension of a script on a Mac to .jpg (or something else the browser would try to render) and then edited it to remove the shell definition, the file would be downloaded and automatically executed. There’s a reason this doesn’t happen on BSD. Apple’s OS team really needs to look harder at the implications of its design decisions.