Turn off Safari’s Open “safe” files after downloading under Safari->Preferences.

Safari Preference screen

There’s a program out there in the wild that can download and install itself if that checkbox is checked. It’s possible that the payload is helped along by the Flash vulnerability; I’m not sure, but keep in mind that many websites are using Flash ads that are served from 3rd party servers. Even if you trust the site, the ads may be from nefarious sources.

There isn’t really an easy way to turn Flash off on Safari, unless you remove the plug-in from the /Library/Internet Plug-ins/ directory. Firefox has an extension, called NoScript, which is very customizable (you can block Flash, but not JavaScript, for example), and I highly recommend it. Anyway, the payload from before installs a plug-in into the /Library/Internet Plug-ins/ directory that changes the DNS server that the Mac uses to resolve domain names. Basically, it means that typing in http://macphoenix.com may send you to a totally different site, or worse, if going to a banking or bill paying site, it may send you to a site that looks exactly the same, but is controlled by thieves. One of the bad DNS IP entries was 85.255.113.138. There was another IP number, but I didn’t record it. If you have a DNS entry pointing to the above, though, it’s a server in the Ukraine that will send you to whatever it wants to, not where you want to go.

The plug-in disguises itself, so it’s impossible to know what it’s named. The solution was to remove every plug-in from /Library/Internet Plug-ins/, restarting, and (after checking that the DNS changed back to the original number) installing trusted plug-ins like QuickTime and Flip4Mac. But remember, the first line of defense is turning off that preference that should not be turned on in the first place.

Update: In response to a comment by Antonio, allow me to clarify. There are exploits to javascript (and now apparently Flash) that can make Safari download something without the user being aware. With the Open “safe” files after downloading checked, the download can potentially contain an installer that can load a trojan onto your machine. It’s simply keeping the porch door open allowing raccoons to eat the pet food in the kitchen. As for usability, the only benefit to Open “safe” files after downloading is saving the user a double click on legitimately downloaded files.

  • Antonio

    Can’t really tell what the downside is…of course I would not want something to download and install itself on my Mac without my authorization, but, what does it do? In any event, I’ll uncheck that thing, and rely on Flip4Mac, Quicktime, Perian and Flash for video on the web.