06-Mar-01 UPDATE: Security Update 2006-001 should fix this issue.

Files that end with .zip are compressed archives containing several files and/or folders. You can create them by CONTROL-clicking on files or folders in the Finder then selecting “Create archive of …” from the contextual menu that appears. They are sometimes also used to package downloads into a single file.

A bug has been discovered in the mechanism Mac OS X uses to store Mac specific file information in .ZIP compressed archives. This bug can allow a malicious download to potentially execute commands when Mac OS X expands the ZIP archive to extract its contents. In combination with Safari’s option to “Open safe files” after they are downloaded this can allow a web page to automatically download a .ZIP archive and have it execute its own commands.

Apple should have a security update to address this soon but for now there are a few things you can do to protect yourself:

1) Turn OFF the checkbox labeled ‘Open “safe” files after downloading’ in Safari’s General preferences section. This will prevent Safari from automatically opening any downloaded files even if it considers them to be safe. (We’ve been recommending this for a long time anyway.)

2) Don’t open .zip files from people you don’t know or unsolicited attachments from people you do know until you can verify that they really did send it.

3) Just download from sites you trust, either well known companies such as Apple or from individuals or smaller companies who have been around for a while. An unsolicited email with a link to a free anti-virus package on a site that suddenly appeared yesterday should be unceremonously deleted, for example.

These are the same basic tips we’ve been mentioning for a while but its more important than ever that they be followed.