Overview
Mac OS X Safari "Show in Finder" option may automatically open and execute downloaded files. This could allow an attacker to execute arbitrary code.
Description
Safari is the default web browser for Mac OS X. Safari has a "Show in Finder" option to allow users to automatically reveal the location of downloaded files in a Finder (the default OS X file browser) window. This feature is flawed as Finder may attempt to automatically open and execute certain types of files when the location is revealed. |
Impact
An attacker may be able to execute arbitrary code since certain files may automatically open without verification of their contents. |
Solution
Apple has released a security update labeled APPLE-SA-2004-06-07 to address this issue. Information regarding the update can be found at http://docs.info.apple.com/article.html?artnum=25785. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerability was publicly reported by Apple Product Security.
This document was written by Jeff Gennari.
Other Information
| CVE IDs: | CVE-2004-0539 |
| Severity Metric: | 0.27 |
| Date Public: | 2004-06-07 |
| Date First Published: | 2004-08-24 |
| Date Last Updated: | 2004-09-07 20:06 UTC |
| Document Revision: | 121 |