[Am-info] First "auto-download" vulnerability in OS X
Sujal Shah
sujal@sujal.net
28 Feb 2002 09:49:55 -0500
http://online.securityfocus.com/archive/1/258638
Found via /. ( http://slashdot.org/article.pl?sid=02/02/28/0343241 ).
Short version, turn of autoplay in QT prefs. Seems like IE and some
other browsers are too eager to automatically download .sit (StuffIt
archives) files and run them. I think this basically has to do with a
cracker taking advantage of the .dmg file convention in Mac OS to fool
QT into running stuff.
Of note: the only browser that is central to all the vulnerabilities is
IE, and Netscape/Mozilla are the only ones that across the board offer a
dialog before actually doing the download (though they can still be a
channel if the user tells Mozilla to always download .sit files without
asking, I would think).
Sujal