Safari users warned of Mac OS X flaw

A serious flaw in Mac OS X could be a conduit for attackers to install malicious code on computers running the Apple software, experts warned on Tuesday.

The security problem is the third to surface for the operating system in the past week. It exposes Mac users to risks that are more familiar to Windows users: visiting a malicious website using Apple's Safari web browser could result in a rootkit, a backdoor or other malicious software being installed on the computer without the user noticing anything, experts said.

The SANS Internet Storm Center, which tracks network threats, said on Tuesday: "This could be really bad. Attackers can run shell scripts on your computer remotely just by visiting a malicious website."

Apple is developing a patch for the flaw, according to a company representative. "We're working on a fix so that this doesn't become something that could affect customers," the representative said but could not give a delivery date for the update.

Word of the new vulnerability comes after the recent discovery of a Trojan horse and a worm that target Mac users. The operating system had not been in the security crosshairs previously.

The new problem, discovered by Michael Lehn and first reported by Heise Online, lies in the way Mac OS X processes archive files. An attacker could embed malicious code in a ZIP file and host that on a website. The file and the embedded code would run when a Mac user visits the site using the Safari browser, experts said.

Alfred Huger, senior director of engineering at Symantec, said: "Essentially, the operating system is executing commands that come in the metadata for ZIP files. That is exacerbated by the problem that Safari will automatically open the file when you encounter it on the web."

The issue may go beyond archive files, SANS said in updated notes on its website. "The attacker doesn't need to send a ZIP archive; the shell script itself can be disguised to practically anything," the note said.

There are no known attacks that take advantage of the flaw, experts said. However, proof-of-concept code that demonstrates the security vulnerability is publicly available online and could be tweaked for use in cyber attacks. Huger said: "The skill level required to exploit it is very low. Pretty much anyone can do it."

In the Windows world, such flaws are often exploited to install spyware or ad-serving software on vulnerable PCs. While such insidious software may be rare for the Mac, there are back doors and rootkits for the operating system, Huger said. "I think you'd likely see those installed with this type of vulnerability," he said.

The vulnerability is rated "extremely critical" by security monitoring company Secunia. Symantec rates it "fairly high risk", Huger said. He said: "If you have a Mac and use Safari, it is something you should remediate immediately."

Mac OS X users can protect themselves by disabling the "Open safe files after downloading" option in Safari. In addition, users should be cautious when surfing the web, the Apple representative said. "Apple always advises Mac users to only accept files from vendors and websites that they know and trust."

Users of alternative browsers such as Camino and Firefox on the Mac are not exposed to the web-based attack vector, experts said.

Joris Evers writes for CNET News.com