Security research firm, Secunia, is reporting that is has uncovered a flaw in Safari that could potentially allow someone to run a script or other application when you download a file from the Internet. The threat takes advantage of Safariis ability to open trusted files after they download.
Secunia has even gone so far as to produce a proof-of-concept for the exploit and posted it on the company Web site. If your Mac is vulnerable, the proof-of-concept will launch the Calculator application.
The exploit works by tricking Safari into thinking that the contents of a ZIP archive contain trusted, safe files. Instead, the archive holds a shell script that executes other commands on your Mac.
This potential exploit is easily defeated by disabling Safariis "open safe files" option. This step-by-step preview from tomorrowis Quick Tip shows you how:
- Launch Safari.
- Choose Safari > Preferences from the menu bar.
- Click the General button.
- Uncheck Open "safe" files after downloading.
Disable "Open Safe Files" in Safariis preferences.
Secuniais alert does not mean there is some form of malware that is taking advantage of this potential exploit. Despite the proof-of-concept exploits that were discovered last week, there are still no known viruses for the Mac circulating on the Internet.