Security experts say attackers could exploit a critical security hole in Apple Computer Inc.'s Mac OS X to execute arbitrary shell commands and compromise vulnerable machines. But there are defensive measures IT professionals can take until a patch becomes available.
Word of the flaw came just days after the operating system became the target of malicious code for the first time.
The French Security Incident Response Team (FrSIRT) said in an advisory that the flaw is due to a glitch in how the operating system processes specially crafted resource forks and HFS metadata stored in the "__MACOSX" folder in .zip archives. The security hole affects OS X 10.4.5 and earlier versions.
Attackers could exploit the flaw to execute arbitrary shell commands and compromise a vulnerable system by convincing a user to open a malicious e-mail attachment or visit a specially crafted Web page designed to automatically exploit the vulnerability through the Safari browser.
The new vulnerability isn't hard to exploit, said Johannes Ullrich, chief research officer for the Bethesda, Md.-based SANS Internet Storm Center (ISC). "The published [proof-of-concept code] will tell you anything you need to know," he said in an e-mail exchange Tuesday morning. "The vulnerability will work for shell scripts, which are very easy to write and can be used as 'wrappers' for other malware."
FrSIRT and Danish vulnerability clearinghouse Secunia said researcher Michael Lehn discovered the flaw. In an advisory, Secunia gave the flaw its most severe threat rating, extremely critical. The rating means the flaw is remotely exploitable, could lead to a system compromise and usually doesn't require any user interaction.
Secunia recommended IT administrators counter the threat by disabling the "Open safe files after downloading" option in Safari and by making sure users don't open .zip archives from untrusted sources.
"It is critical to disable 'Open safe files after downloading' in Safari," Ullrich said. "This will at least disable the automatic execution of code via Safari."
But that may not be enough to fully neutralize the threat. "Disabling the 'Open safe files after downloading' option will just prevent the auto-execution with Safari, not the underlying OS X issue with misinterpreting the zipped file," Ullrich added.
The flaw and last week's appearance of malcode targeting Mac OS X may be hard for some users to swallow, given that the operating system has long been considered a more secure alternative to Microsoft Windows.
But Graham Cluley, senior technology consultant for UK-based AV firm Sophos, said the Mac OS X threats shouldn't be blown out of proportion. Asked if the latest malcode could be tweaked to exploit this vulnerability, he said in an e-mail exchange, "I don't think yet that we're seeing the intensity of hacker activity on the Mac platform that would suggest that this is likely."
He added, "My feeling at the moment is that the Mac OS X malware we are seeing is being coded by a small number of individuals who are doing it as a proof-of-concept, an intellectual exercise if you like."
However, he added, "If more criminally-minded hackers are attracted to the platform, they may put more effort into abusing a vulnerability like this to spread malware" in the future.
Apple did not immediately return phone and e-mail requests for comment.