Mac OS X CoreTypes May Not Warn Users Before Opening Unsafe File Types
SecurityTracker Alert ID: 1021400|
SecurityTracker URL: http://securitytracker.com/id/1021400
(Links to External Site)
Date: Dec 15 2008
Modification of system information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 10.5 - 10.5.5|
A vulnerability was reported in Mac OS X CoreTypes. A user may not be warned before opening certain unsafe file types.|
A remote user can create a specially crafted file type that, when downloaded by the target user, will cause the system to fail to warn the user of the potentially unsafe file type.
Content types that have executable permissions but no specific application association are affected.
Systems prior to Mac OS X v10.5 are not affected.
A user may not be warned before opening certain unsafe file types.|
Apple has issued a fix as part of Security Update 2008-008 and Mac OS X v10.5.6, available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:|
The Software Update utility will present the update that applies to your system configuration. Only one is needed, either Security Update 2008-008 or Mac OS X v10.5.6.
For Mac OS X v10.5.5
The download file is named: "MacOSXUpd10.5.6.dmg"
Its SHA-1 digest is: 684f67524a92b4314a4bdd52498fb3b6af8f9ded
For Mac OS X v10.5 - v10.5.4
The download file is named: "MacOSXUpdCombo10.5.6.dmg"
Its SHA-1 digest is: 09de4ac2c5591ab75d51ef37dc70f9e5630150d4
For Mac OS X Server v10.5.5
The download file is named: "MacOSXServerUpd10.5.6.dmg"
Its SHA-1 digest is: bd14ab94b9bcc896da1613ac761171b54286bcac
For Mac OS X Server v10.5 - v10.5.4
The download file is named: "MacOSXServerUpdCombo10.5.6.dmg"
Its SHA-1 digest is: e20d8d458be3ec51b0083ff823ce27def00dbca7
For Mac OS X v10.4.11 (Intel)
The download file is named: "SecUpd2008-008Intel.dmg"
Its SHA-1 digest is: 651e592fad1bd158a76459a81d2ebede1f3bedea
For Mac OS X v10.4.11 (PowerPC)
The download file is named: "SecUpd2008-008PPC.dmg"
Its SHA-1 digest is: 9bb2aa7fcc924715b6442e808fc778789f359906
For Mac OS X Server v10.4.11 (Universal)
The download file is named: "SecUpdSrvr2008-008Univ.dmg"
Its SHA-1 digest is: 21702064037150cdeb9d708304ee91eb254c7371
For Mac OS X Server v10.4.11 (PowerPC)
The download file is named: "SecUpdSrvr2008-008PPC.dmg"
Its SHA-1 digest is: d0e4720051ea27b8edf0ab2a124d6e9f0e16534c
The vendor's advisory is available at:
Vendor URL: support.apple.com/kb/HT3338 (Links to External Site)
Source Message Contents
Date: Mon, 15 Dec 2008 13:34:02 -0500|
Subject: Mac OS X
APPLE-SA-2008-12-15 Security Update 2008-008 / Mac OS X v10.5.6
Available for: Mac OS X v10.5 through v10.5.5,
Mac OS X Server v10.5 through v10.5.5
Impact: Attempting to launch unsafe downloaded content may not lead
to a warning
Description: Mac OS X provides the Download Validation capability to
indicate potentially unsafe files. Applications such as Safari and
others use Download Validation to help warn users prior to launching
files marked as potentially unsafe. This update adds to the list of
potentially unsafe types. It adds the content type for files that
have executable permissions and no specific application association.
These files are potentially unsafe as they will launch in Terminal
and their content will be executed as commands. While these files are
not automatically launched, if manually opened they could lead to the
execution of arbitrary code. This issue does not affect systems prior
to Mac OS X v10.5.