Title: Downloaded Applications Can Execute on Mac IE 5.1 for OS X
Date: 23 October 2001
Software: Internet Explorer 5.1 for Macintosh
Impact: Run code of attacker's choice If this affects you read more! Issue: The Macintosh OS X Operating System provides built-in support for both BinHex and MacBinary file types. These file types allow for the efficient transfer of information across networks by allowing information to be compressed by the sender and then decompressed by the recipient. This capability is particularly useful on the Internet, by allowing users to dowload compressed files. A vulnerability results because of a flaw in the way Mac OS X and Mac IE 5.1 interoperate when BinHex and MacBinary file types are downloaded. As a result, an application that is downloaded in either of these formats can execute automatically once the download is complete. A user would first have to choose to download a file and allow the download to fully complete before the application could execute. Also, users can choose to disable the automatic decoding of both these file types. Mitigating Factors: - The user would have to choose to downoad the application before any attempt could be made to exploit the vulnerablity. It cannot be exploited without user interaction.
- The application would have to successfully download before any attempt could be made to exploit the vulnerability. The user can cancel the download at anytime prior to completion.
- The vulnerability could not be exploited if automatic decoding of BinHex and MacBinary files has been disabled. This is not a default setting however. Patch Availability: - A patch is available to fix this vulnerability. Please read the Security Bulletin at Microsoft Technet for information on obtaining this patch.
Date: 23 October 2001
Software: Internet Explorer 5.1 for Macintosh
Impact: Run code of attacker's choice If this affects you read more! Issue: The Macintosh OS X Operating System provides built-in support for both BinHex and MacBinary file types. These file types allow for the efficient transfer of information across networks by allowing information to be compressed by the sender and then decompressed by the recipient. This capability is particularly useful on the Internet, by allowing users to dowload compressed files. A vulnerability results because of a flaw in the way Mac OS X and Mac IE 5.1 interoperate when BinHex and MacBinary file types are downloaded. As a result, an application that is downloaded in either of these formats can execute automatically once the download is complete. A user would first have to choose to download a file and allow the download to fully complete before the application could execute. Also, users can choose to disable the automatic decoding of both these file types. Mitigating Factors: - The user would have to choose to downoad the application before any attempt could be made to exploit the vulnerablity. It cannot be exploited without user interaction.
- The application would have to successfully download before any attempt could be made to exploit the vulnerability. The user can cancel the download at anytime prior to completion.
- The vulnerability could not be exploited if automatic decoding of BinHex and MacBinary files has been disabled. This is not a default setting however. Patch Availability: - A patch is available to fix this vulnerability. Please read the Security Bulletin at Microsoft Technet for information on obtaining this patch.
