Right. What I'm saying is that if you had that enabled and visited a
malicious site with something like a metarefresh hosting a small .dmg file
you could be exploited before you know what's going on. It'd be a bit more
like a "drive by download". In that sort of case a novice user might be
less likely to realize that something bad just happened and chalk the
reboot up to a random occurence.
You're definitely correct that the Safari thing is more of a mitigation
than anything and this needs to be fixed properly.
Marc Fossi
Symantec Corp.
www.symantec.com
On Tue, 21 Nov 2006, Roland Dobbins wrote:
>
> On Nov 21, 2006, at 1:08 PM, mfossi (at) securityfocus (dot) com [email concealed] wrote:
>
>> Yes, it's just that if 'Open "safe" files after downloading' is ebabled it
>> would be slightly more automatic. While not likely to make a difference to
>> advanced users, it would probably make it easier for novice users to be
>> exploited.
>
> I understand what you're saying, but I don't think it makes a difference.
> Ordinary users often download .dmg files to their desktops and then just
> click on them.
>
> The real fix is to alter the way OSX handles the mounting of .dmg filesystems
> (I wonder if this same class of issues exists in OSX when mounting other
> types of filesystems?). The Safari thing is a band-aid/distraction which
> actually promotes a false sense of security, IMHO.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins (at) cisco (dot) com [email concealed]> // 408.527.6376 voice
>
> All battles are perpetual.
>
> -- Milton Friedman
>
>
>
malicious site with something like a metarefresh hosting a small .dmg file
you could be exploited before you know what's going on. It'd be a bit more
like a "drive by download". In that sort of case a novice user might be
less likely to realize that something bad just happened and chalk the
reboot up to a random occurence.
You're definitely correct that the Safari thing is more of a mitigation
than anything and this needs to be fixed properly.
Marc Fossi
Symantec Corp.
www.symantec.com
On Tue, 21 Nov 2006, Roland Dobbins wrote:
>
> On Nov 21, 2006, at 1:08 PM, mfossi (at) securityfocus (dot) com [email concealed] wrote:
>
>> Yes, it's just that if 'Open "safe" files after downloading' is ebabled it
>> would be slightly more automatic. While not likely to make a difference to
>> advanced users, it would probably make it easier for novice users to be
>> exploited.
>
> I understand what you're saying, but I don't think it makes a difference.
> Ordinary users often download .dmg files to their desktops and then just
> click on them.
>
> The real fix is to alter the way OSX handles the mounting of .dmg filesystems
> (I wonder if this same class of issues exists in OSX when mounting other
> types of filesystems?). The Safari thing is a band-aid/distraction which
> actually promotes a false sense of security, IMHO.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins (at) cisco (dot) com [email concealed]> // 408.527.6376 voice
>
> All battles are perpetual.
>
> -- Milton Friedman
>
>
>
[ reply ]