Safari and the MOAB .dmg Bugs
OK, ISC gets credit for reminding me of a very obvious fact that I have been overlooking. I've been ignoring the multitude of disk image vulnerabilities which have been posted at the Month of Apple Bugs project (and Month of Kernel Bugs obviously), because I wasn't thinking they were relevant. However, I now have been reminded that Safari's (st00pid IMHO) default behavior is to have the little "Open 'safe' files after downloading" box checked in the preferences. This means it will open things like .zip files, word files, .dmg (disk image) files, etc right away after downloading them. I haven't been able to find a detailed list of what Apple considers safe, other than this Apple document which lists "Files such as pictures, movies, sounds, text files, PDF documents, disk images, or ZIP archives are usually considered safe."; which is of course funny since we know that malformed versions of pretty much all of these can be used as an exploit vector. Essentially though, you can assume they're generally only looking for files that are either executables or scripts of some sort.
See, I hadn't thought of the auto-opening fact because this is generally the first thing I turn off in Safari. Apple has got burned by this multiple times in the past, but just keeps bolting stuff around it to try and keep it secure while keeping the perceived convenience for users. While it's obvious that people generally intend to open the things they download, the problem comes from the fact that webpages can force you to download stuff you don't intend. It would be painfully trivial for a site to check the HTTP header looking for Safari clients and then, knowing that the users will almost universally still be opening anything that is downloaded, force them to download a vulnerable .dmg to be opened (or vulnerable pdf file, or vulnerable zip file, etc).
So if I may, allow me to make another plea to Safari users to turn off the "Open 'safe' files after downloading" option in Safari→Preferences→General, and to ask those Apple people (who aren't even reading this ;)) to please make this option disabled by default.
