Mac flaw puts Safari surfers at risk

TalkBack 34 of 42:: Next »; « Previous

Thread View
Flat View

A bit more complicated: If something has jpg as an extension, a double click of it will attempt to open it in Preview. Preview gives you a dialog saying file format not recognized. If the permissions have been set to executable (which doesn't happen automatically) then a "jpg" might be openable from a shell, but only by invoking it with an explicit path or if it has been placed in a path directory, generally /usr/bin and /bin by default. (Note it will take an administrator to drop the executable into one of those directories.)

Just did a quick and dirty test, first using a simple Scheme program: (begin (display "Test execute")(newline)) and DrScheme to compile. The executable was a directory of resources, which is the Mac approach. Attempting to rename it Test.jpg resulted in a directory called Test.jpg.app. Renaming it via mv Test.app Test.jpg did change its icon, but, again, double clicking started Preview which wouldn't open it. Not a conclusive test, though.

So let's write a simple C program:
#include
int main()
{
printf "Hello executable.\n";
return 0;
}

and compile: >gcc -o Test.jpg Test.c

Sure enough Test.jpg has an icon which suggests it is a jpg. Double click it and Preview tells you about a bad file format. Go to the command line and type ./Test.jpg and -bang-o- there's "Hello executable." But "open Test.jpg" again fails, because Preview is chosen. Changing its name to Test will cause the icon to change to the unix script/executable icon. Double clicking opens Terminal and executes. Since I had compiled it, it came in "hot", that is with the executable permission was set. Files without executable permissions will not run. Downloaded items require the user to set the executable permission.

The basic point is true: an extension provides the first hint to the os as to what should open it.

What's the lesson, if any? Mister or Madam User, whatever you are using, disable automatic opening of safe files in your browser. No, do it now, if you haven't done it already. And, if it were up to me extensions would never be hidden. The icon <== extension OS X change in functionality was a nod to interoperating with Windows; I'm not crazy about it, but what you gonna do? (It's also an issue for Windows users, test changing the extension and see what happens -- at least, when you drop the extension from a Mac file the os still knows what application created it, in Windows the file becomes inert, which is arguably more secure, but at the cost of convenience and user confusion. How many Apple users have had to put up with a "I can't open the file you sent me" when all that was needed was adding .pdf to the file name? At least one.) Finally, do not download from the web while running in an administrator account.

(And, Uncle Buck, take a Windows with default settings, create a file called myphoto.jpg.exe and think about implications when considering all the people who only know about security that jpgs are safe to open. I know, I'm an Apple user and I'm am nowhere near invulnerable. I thank you for your concern, but a month of Apple bugs notwithstanding, by my reckoning, I'm still better off than with Windows.); Posted by: DannyO_0x98 Posted on: 01/13/07 You are currently: a Guest | Members login | Terms of Use