Intrusion Prevention

Apple.Mail.X.Unix.Mode.Executable.Mail.Attachment

Description

This indicates an attempt to exploit an Arbitrary Command Execution vulnerability in Mac OS X.
The "Open 'safe' files after downloading" option in Safari on Apple Mac OS X allows remote attackers to execute arbitrary commands. This can be done by tricking a user into downloading a "__MACOSX" folder that contains metadata (a resource fork) that invokes the terminal. The terminal automatically interprets the associated script using the "bash" shell. For example, if a ZIP file that contains a script with a safe file extension is downloaded, the script will be executed. The script commands are executed in the context of the user opening the archive file.

Affected Products

Apple Mac OS X Server 10.4.5
Apple Mac OS X Server 10.3.9
Apple Mac OS X 10.4.5
Apple Mac OS X 10.3.9

Impact

System Compromise: Remote attackers can gain control of vulnerable systems.

Recommended Actions

Apple has released security advisory APPLE-SA-2006-03-01 and APPLE-SA-2006-03-13 to address this issue.

CVE References

CVE-2006-0848