Possible Safari 4.0.3 issue

I'm getting strange Desktop-1-1 downloads today when I visited this web site:

http://deals.venturebeat.com/2009/08/13/pacific-biosciences-takes-68m-as-genome- sequencing-becomes-more-competitive/

a) Starts downloading files
b) Creates files and directories in my home directory

ibook g4/933 PPC Tiger 10.4.11 / Safari 4.03

Freaked me out. I shouldn't be happening.

Greetngs,

There's no malicious content in those emails; remember, there are no viruses for Mac OS X.

Why don't you try this:

1. Quit Safari.
2. Go to Home/Library/Preferences and delete the com.apple.Safari.plist file.
3. Restart Safari and setup your preferences again, then check to see if the problem is still there.

Post back with results.

You may have acquired a Trojan and/or tracker cookie.

SecureMac has introduced a free Trojan Detection Tool for Mac OS X. It's available here:

http://macscan.securemac.com/

The DNSChanger Removal Tool detects and removes spyware targeting Mac OS X and allows users to check to see if the trojan has been installed on their computer; if it has, the software helps to identify and remove the offending file. After a system reboot, the users' DNS records will be repaired.

(Note that a 30 day trial version of MacScan can be downloaded free of charge from:

http://macscan.securemac.com/buy/

and this can perform a complete scan of your entire hard disk. After 30 days free trial the cost is $29.99. The full version permits you to scan selected files and folders only, as well as the entire hard disk. It will detect (and delete if you ask it to) all 'tracker cookies' that switch you to web sites you did not want to go to.)

@mcpheed: You should start your own topic with the specific details of your problem. It's very difficult for anyone to try to deal with multiple topics in the same thread.

Since I've tested the web site you linked to and got no such behavior, I would have to surmise that your issue is the result of JavaScript. If you disable JavaScript in Preferences>Advanced or install click2flash 1.5b4, you shouldn't have that problem.

Problem:
The mysterious Desktop-1,2,3 files appear in my home directory. It happens on both PPC macs.

Setup Safari my tests:

Safari: Empty Cache, Clear History, Remove all cookies (you may not want to delete your cookies)
Quit Safari
rm ~/Library/Preferences/com.apple.Safari.plist

Start Safari
Uncheck "Block Pop-Up Windows"

Preferences:
Uncheck Open "safe" files after downloading (General tab)
Uncheck "Enable Java" (Security tab)

Enter URL
http://deals.venturebeat.com/2009/08/13/pacific-biosciences-takes-68m-as-genome- sequencing-becomes-more-competitive/

Wait about 30+ seconds for files to appear

Check home directory for new directories

Results:

Apple Safari Download Window, I see three entries:
Desktop-1-1
Cannot move file

Desktop-2-1
Cannot move file

Desktop-3-1
Cannot move file

In my home directory, I see these files
-rwx------ 1 mobius mobius 0 Aug 13 17:44 Desktop-1-1
drwxr-xr-x 2 mobius mobius 68 Aug 13 17:44 Desktop-1
-rwx------ 1 mobius mobius 0 Aug 13 17:44 Desktop-2-1
drwxr-xr-x 2 mobius mobius 68 Aug 13 17:44 Desktop-2
-rwx------ 1 mobius mobius 0 Aug 13 17:44 Desktop-3-1
drwxr-xr-x 2 mobius mobius 68 Aug 13 17:44 Desktop-3

NOTE: The directories are empty.

Summary:
I can reproduce the same files and action with two different macs.
When I uncheck "Enable Javascript", I do NOT see errors. The web page is missing portions.
Using Firefox and Opera and opening the error console I see a tons of errors. I know not Javascript.

In many years of using Safari, I've never experienced this odd behavior. I'm guessing this should never happen. Me thinks there is a bug in 4.03

I have faith in Apple. I do, I do....

Computers:
ibook g4/933 Tiger 10.4.11 / Safari 4.03
Powermac g4/733 Tiger 10.4.11 / Safari 4.03

As I said, those downloads of empty folders are spawned by JavaScript; turn it off or install click2flash and it doesn't happen. It's not a bug in Safari.

Thank you.

Hmmm, that's interesting. This was my first visit to this particular web site. I'd never experienced any web site writing files to my home directory. Must be poorly written javascript?

I found files and directories. Simplistic question:
Could a malicious web site allow a hacker to fill up my home directory?

I shall sleep better knowing that my ibook remains oblivious to darker forces.

Cheers

Could a malicious web site allow a hacker to fill up my home directory?

Potentially, yes. But there are very, very few of those, and it would still need to be authorized by you before it could install anything. The worst it could do is put a file or folder on your system; it can't launch any software, and there are no viruses for Mac OS X.

Beginning on 8/11, subsequent to the Safari 4.0.3 update, the downloads box popped up showing a download as I visited my RoadRunner Web Mail login page, https://webmail.roadrunner.com. This happened around 11:30 PM. Two new entries showed up on the Macintosh HD in the Users folder. They were, Destop-1, a folder and Desktop-1-1, a document containing 0 bytes. I closed the RoadRunner Web Mail login page and reopened it and then two more entries appeared on the Macintosh HD in Users folder, Desktop-2 and Desktop-2-1-1. After that no more entries appeared when I closed and reopened the RoadRunner Web Mail login page. I deleted the files. Again on 8/12 and 8/13 the same downloads happened as I visited the RoadRunner Web Mail login page after 11:20 PM. They did not happen before then, so whatever is happening is time dependent. Both times I used Get Info and Grab to print the file information before deleting the files. Spotlight listed the info for the downloaded folder, Desktop-1, as: Where from: https://ads.traffiq.com/AdServer/Impressions/tcount.... The whole listing is very long. These downloads have also occurred on my wife's IMac after visiting the RoadRunner Web Mail login page later than 11:20 PM. I notified Roadrunner technical support about the occurrences -- they think the downloads are an issue with Safari 4.0.3 and asked me to check with Apple.

Repeat after me: This is not an issue with Safari; it is an issue with the web site and their serving of ads using JavaScript. Turn off JavaScript or install click2flash as I posted earlier to prevent this.

I don't know if this is Safari, or Java, but I had the same thing happen to me on USA Today's site. The ad kept downloading these 0K files into my users folder. No password asked for, and I let it go for a little bit to watch what happened, and Safari crashed after the 6th one.

Installing click2flash didn't solve the problem. When I went to Yahoo! mail it downloaded the same folder as has been mentioned.

Turning off Javascript isn't really an option for using Yahoo! mail.

Any other suggestions?

Thanks.

I am not sure, but it seems like several are having the same issue. My gut (and that is all) says that something has changed in the Safari update with Java compatibility. I searched out this topic because I was concerned it was some new type of malware when it happened to me, but I am less concerned about that now. I would just keep reporting the problem and hopefully it will be dealt with soon.

I deal with malware on a daily basis fixing Windows machines and this had me concerned for a minute because it had similar characteristics, and even more so when it crashed my Safari. But it didn't try to install anything, just download a file (over and over). It may be a attempt at a drive-by install for windows malware, but I can't say for sure since the file is 0K. I purposely take my Mac to sites that have given a Windows bug, and my Mac will show the attempted download which has given me clues several times of what bug the Windows machine has since Mac always warns you before downloading a executable file. That did NOT happen on the USA Today news site, just downloaded a file called Desktop-1-1 and so on.

The only fix I would know of it install an older version of Safari and see if that fixes it, but I would go back as soon as I could, because the last update closed several holes.