macworld news antenna

Analysis: Secunia reports security hole in disk images

Said report states that, “The vulnerability is due to an errr in com.apple.AppleDiskImageController when handling corrupted DMG disk image structures. This problem can be exploited to corrupt memory and allow arbitrary code to be executed in run mode from the core. “

According to Secunia, this vulnerability “can potentially be exploited by a local user who wants to escalate privileges or by another type of user who wants to compromise the vulnerability of the system.”

To what extent is there to worry about this problem? While you can never be completely free of potential security holes, the vulnerability described by Secunia can be removed with relative ease. You can be relatively safe as long as you have disabled the feature to automatically open files downloaded from the Internet.

However, remember that whenever you download and install a product (from a disk image or not), you will be trusting the author of the code for said disk image; especially in the case that an installer must be run in which the administrator password is requested.

To disable the automatic file opening feature in the Safari Web browser, select the Safari menu and choose the Preferences option. Click the General option and turn off the Open “safe” files when downloading feature.

Web: http://secunia.com/advisories/23012/