More Mac malware: Two OS X vulnerabilities detected

Macworld - Apple users acustomed over the years to their preferred operating system's "virus-free" reputation find themselves in unfamiliar territory, as the second and third vulnerabilities in OS X have been announced.
A new security vulnerability in Safari has been identified by security experts at Secunia. The company -- which rates the flaw as "extremely critical" -- says that the vulnerability was discovered by a source outside the company, Michael Lehn. It can be exploited by malicious people to compromise a user's system, it warns.
The vulnerability is caused by an error in the processing of file association metadata (stored in the "__MACOSX" folder) in ZIP archives.
"This can be exploited to trick users into executing a malicious shell script renamed to a safe file extension stored in a ZIP archive," Secunia warns.
It can also be exploited automatically by Safari when visiting a malicious Web site. The company has released a test users can run to check whether their systems have been affected.
The vulnerability has been confirmed on an up-to-date system running Safari 2.0.3 (417.8) and Mac OS X 10.4.5. Users can mitigate the threat by disabling the "Open safe files after downloading" option in Safari.
Meanwhile, another piece of Mac OS X malware posing a more limited threat has also emerged this week. Security software maker F-Secure Corp. describes Inqtana.A as a Java-based "proof of concept" worm that exploits a vulnerability in Bluetooth on some Macs that haven't been updated with Panther and Tiger security patches.
The chances of Mac users actually being affected by Inqtana.A are remote, however -- even F-Secure notes that it hasn't seen the worm "in the wild." What's more, Inqtana.A has an internal counter that prevents its operation after Feb. 24, 2006. And Apple has also patched the vulnerability in free system updates.
Bluetooth is a short-distance, low-speed wireless networking technology used to connect computers, printers, PDAs, smart phones and other devices -- it's become commonplace on the Macintosh in recent years.
Inqtana.A exploits a vulnerability called Bluetooth File and Object Exchange Directory Traversal: An infected machine could send an Object Exchange (OBEX) Push request to another system; if the user accepted the data transfer, Inqtana.A could then use the exploit to copy its files to start automatically on the next reboot. Once restarted, Inqtana.A could use the host machine to find other devices that accept OBEX Push transfers and try again.
The Directory Traversal exploit was documented in May 2005. Apple Security Update 2005-006 for Mac OS X v10.3.9 and Mac OS X

Reprinted with permission from

For more Macintosh news, visit Macworld.com.
Story copyright 2009 Mac Publishing, LLC. All rights reserved.