Safari has an option to open “safe” (their quotes) files after downloading. This is turned on by default, and allows a user to download a file, and if it is “safe” it will be opened automatically.
In the case of archives, this appears to include re-assembling a file from its data and resource files and then performing whatever the resource fork suggests is the default action.
There really isn’t much to analyse about this part of the problem – Safari is doing what it is told by design. Arguably the design is rather poor but from a programmers perspective this part of the system is in no way broken.
I’d certainly suggest that this is an unsafe choice of default settings however!
Lessons learnt – Are ZIP files safe to be opened automatically after download? Are ANY files safe these days? This option should be off by default. This is something you can do on your Mac right now, from Safari properties [screenshot]
When an archive is opened, especially if it is by another app such as a web browser, files should NEVER be automatically executed.
Threats from this “attack”.
The current “Proof of Concept” script runs a simple “Hello World” statement. This “exploit” runs a shell script in the currently logged in user context, which is analogous to a windows user running a batch file; it can do whatever the user can do and no more. Hopefully you don’t run as an administrator – this is actually pretty uncommon on a Mac so this isn’t as bad as it could have been.
Of course being able to run as the user is perfectly ample for a script to trash that user’s data. We could also install a Trojan into their account, providing that Trojan doesn’t require admin rights to install its hooks (see companion virus).
Maybe this exploit can’t compromise the underlying OS from a normal user account, but then it doesn’t have to affect the OS to break lots of hearts.