command line fix for Safari security issue?

Question

command line fix for Safari security issue?

Anyone know of a way to disable the "Open safe files after downloading" option in Safari from the command line?

Posted on Feb 21, 2006 2:10 PM

Reply

Answer 1

fr-jeff

Level 1

0 points

Feb 21, 2006 2:18 PM in response to Trent Geerdes

it is not really a Safari problem, it is more serious it seems to be a OS X problem. Unless Safari open downloaded code, you can do it a have the same issue.

It is a really bad new, hope Apple will patch the system very soon.

Reply

Answer 2

Jpfresno

Level 4

3,020 points

Feb 21, 2006 2:48 PM in response to Trent Geerdes

Hi Trent and fr-jeff, Welcome to Apple's Users Help Users Forums.

No JPG or other "safe" download should be asking for Admin Permission cuz it's an application. Do Not Grant Permission.

Anyone know of a way to disable the "Open safe files after downloading" option in Safari from the command line?

Safari > Preferences > General > Turn Off "Open safe files after downloading"

seems to be SOP by the Gurus at BroadBandReports > All Things Mac

My Best, JP

Reply

Answer 3

Ryan M.

Level 6

8,184 points

Feb 21, 2006 4:05 PM in response to Jpfresno

In addition to JP's advice, move Terminal out of the /Utilities/ folder.

This will prevent automatic execution. You'll still have to use the Finder's Get Info window to verify the integrity of the file BEFORE opening it.

-Ryan

Reply

Answer 4

Ryan M.

Level 6

8,184 points

Feb 21, 2006 4:30 PM in response to Ryan M.

Actually, here's something a little better.

From Macfixit.com

-Ryan

Reply

Answer 5

Feb 22, 2006 6:39 AM in response to Ryan M.

Well I'm disappointed in the responses here. I manage many macs and I need a command line solution. Renaming the Terminal isn't a good solution in my opinion. The defaults command won't seem to write to the preference file as is so I guess I have no other option than to script plutil to convert the prefs file, edit it, and then convert it back. What a PITA Apple!

Reply

Answer 6

Feb 22, 2006 8:05 AM in response to Trent Geerdes

Do your users need to be able to use Terminal?
Our users have no user rights for terminal and so we don't seem to have a problem. (Secunia test- Calaclator doesn't open as terminal doesn't open)

We will test further as it is worrying- (our users will open anything with out a care in the world!)

eMac Mac OS X (10.4.5)

Reply

Answer 7

Feb 22, 2006 8:46 AM in response to Trent Geerdes

Yes you can change it from the command line as follows:

defaults write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool FALSE

iMac G5 20" Mac OS X (10.4.5)

Reply

Answer 8

andyBall_uk

Level 7

20,516 points

Feb 22, 2006 9:13 AM in response to Trent Geerdes

setting safari not to open them is only part of the solution.

If terminal app is still in place then an email or website with the .zip file can be unzipped & the tempting looking jpg or mov will still be able to use terminal.

For example - a website might show a jpeg or movie & invite the user to click here for the high res version; user gets a zipped download appear, with the right sounding name - unzips the file, sees the jpeg or movie named xxx-high res & opens it. Whammo

same deal with email really

Reply

Answer 9

Feb 22, 2006 7:11 PM in response to Shango1980

The defaults write command doesn't work for me. No errors but the checkbox never gets unchecked in the Safari prefs. I ended up writing a script that uses plutil to convert back and forth with and edit in between and this does work.

Reply

Answer 10

Feb 22, 2006 9:31 PM in response to Trent Geerdes

Sorry that didn't work. I used it both at home on my personal machines and at work on network mounted homes for over 150 users and it worked flawlessly. For reference, in all cases the machine running the defaults command was 10.4.5 and the clients attaching to the network homes range from 10.2 to 10.4.

Reply

Answer 11

Feb 23, 2006 9:50 AM in response to Ryan M.

In addition to JP's advice, move Terminal out of the
/Utilities/ folder.

This will prevent automatic execution. You'll still
have to use the Finder's Get Info window to verify
the integrity of the file BEFORE opening it.

Do not forget X11.

If you have X11 installed at the standard location /Applications/Utilities, you might want to rename or move this also. I set up an example exploit which opens the Stickies application via X11 when you think you are double clicking onto a .pdf file

http://www.surtec.com/~rj/Finder-X11-Exploit.html

Reply

Answer 12

Feb 23, 2006 11:17 AM in response to Shango1980

I played with it some more and the defaults command will work on my personal pref file if I give the command as the my user account. If I do it as root I get nothing (when specifying the complete path to the pref file minus the .plist extension). When I use Apple Remote Desktop to send this command to Macs on the network I obviously want to send it only once and for that to work on multiuser systems I have to do it as root. When I deployed my shell script using plutil I did it all as root and it worked on the client machines. Am I still missing something?

Reply

Answer 13

jtcluck

Level 4

1,180 points

Feb 23, 2006 1:20 PM in response to Ryan M.

I performed the "move Terminal out of Utilities and into Applications" operation last night, and as warned elsewhere it had unintended consequences. Moving Terminal did prevent the exploit from executing, BUT, when I tried to open Appleworks, I was prompted to open a recently created password protected sparse image. After providing the password, the disk image mounted and Appleworks shut down. Moving the Terminal application back into Utilities (and logging out-logging in) fixed the problem.

So, beware when moving the Terminal application around.

Reply