[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[escepticos] **URGENTE** Agujero en MacOS X



Hola:
Acaba de descubrirse un agujero en Safari que pudiera ser peligroso (Ver http://secunia.com/advisories/18963/ o leer abajo).

En resumen, tenemos que habituarnos a usar normas de seguridad, como sugieren los comentarios de <http://www.faq-mac.com/mt/archives/016080.php> donde tambien se habla sobre este agujero. Por ejemplo, trabajar habitualmente con una cuenta sin privilegios, no fiarte ni de tu padre, etc.
        Saludos

Copiado de http://secunia.com/advisories/18963/
-----------------------------------------------

"Michael Lehn has discovered a vulnerability in Mac OS X, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error in the processing of file association meta data in ZIP archives (stored in the "__MACOSX" folder) and mail messages (defined via the AppleDouble MIME format). This can be exploited to trick users into executing a malicious shell script renamed to a safe file extension stored in a ZIP archive or in a mail attachment.

This can also be exploited automatically via the Safari browser when visiting a malicious web site.

Secunia has constructed a test, which can be used to check if your system is affected by this issue:
http://secunia.com/mac_os_x_command_execution_vulnerability_test/

The vulnerability has been confirmed on a fully patched system with Safari 2.0.3 (417.8), Mail 2.0.5 (746/746.2), and Mac OS X 10.4.5.

Solution:
Do not open files in archives or mail attachments originating from untrusted sources.

The vulnerability can be mitigated by disabling the "Open safe files after downloading" option in Safari."

--

------------------------
Mail Adress: Xan Cainzos
             Dpto. Analise Matematica - Facultade de Matematicas
             Universidade de Santiago de Compostela
             15782 Santiago de Compostela
             SPAIN