![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Fix Mac security hole
Nov. 22nd, 2006 01:08 amAnyone out there using MacOS X and Safari should do the following immediately:
1. Bring up the Preferences dialog in Safari.
2. Click the “General” tab.
3. Look at the checkbox next to “Open ‘safe’ files after downloading”. If this checkbox is on, click it to turn it off.
Then you may close the Preferences dialog and go about your business.
What’s all this about? Well, according to John Gruber, there’s a kernel bug exploit that makes it possible for someone to create a “.dmg” disk image file that, when mounted, causes a kernel panic (full system crash). If you leave that preference on, Safari will automatically attempt to mount “.dmg” files after downloading them, and its possible to set up a web site to initiate downloads automatically. Leaving that preference off means you have to actually double-click (or otherwise open) the file to screw up your computer — it’s a layer of safety.
Apple stupidly leaves this preference turned on by default, so if you aren’t in the habit of reading Mac techie sites, you’ve probably got it on. I don’t know if there have been any cases of someone actually distributing malicious panic-causing files using this exploit, but it could happen. There’s an anonymous security researcher who’s been publishing information about unpatched bugs; this has been the Month of Kernel Bugs.
And I just can’t discuss a Mac security bug without trash-talking about Windows security, so here’s Tom Yager arguing that Windows really is inherently more vulnerable than MacOS X to malware attacks, and he’s pretty specific about the technical reasons. Maybe some of that will be fixed in Windows Vista, maybe not.
1. Bring up the Preferences dialog in Safari.
2. Click the “General” tab.
3. Look at the checkbox next to “Open ‘safe’ files after downloading”. If this checkbox is on, click it to turn it off.
Then you may close the Preferences dialog and go about your business.
What’s all this about? Well, according to John Gruber, there’s a kernel bug exploit that makes it possible for someone to create a “.dmg” disk image file that, when mounted, causes a kernel panic (full system crash). If you leave that preference on, Safari will automatically attempt to mount “.dmg” files after downloading them, and its possible to set up a web site to initiate downloads automatically. Leaving that preference off means you have to actually double-click (or otherwise open) the file to screw up your computer — it’s a layer of safety.
Apple stupidly leaves this preference turned on by default, so if you aren’t in the habit of reading Mac techie sites, you’ve probably got it on. I don’t know if there have been any cases of someone actually distributing malicious panic-causing files using this exploit, but it could happen. There’s an anonymous security researcher who’s been publishing information about unpatched bugs; this has been the Month of Kernel Bugs.
And I just can’t discuss a Mac security bug without trash-talking about Windows security, so here’s Tom Yager arguing that Windows really is inherently more vulnerable than MacOS X to malware attacks, and he’s pretty specific about the technical reasons. Maybe some of that will be fixed in Windows Vista, maybe not.
