Security researchers have discovered a vulnerability in Mac OS X that creates a means for hackers to compromise vulnerable systems. The critical security flaw is unpatched but workarounds have been issued.

The flaw stems from errors in the processing of metadata file association meta data in ZIP archives. By renamed "safe file" extensions stored in ZIP archives, hackers could trick users into executing malicious shell scripts. The security bug might also be used to attack Apple Safari browser users by creating a means for attackers to automatically run malign code when a Safari user visits a malicious-constructed website, an even more potent exploit scenario.

"This is yet another example of the continuing spread of malicious code onto other platforms," said Alfred Huger, senior director of engineering at Symantec Security Response. "While there is no known exploit at this time, users are encouraged to turn off the 'Open safe files after downloading option' in their Safari browsers and watch for further information from Apple."

Discovery of the vulnerability follows last week's discovery of two low-level worms targeting Mac OS X: Leap-A and Inqtana-A. ®

Related stories

• Apple updates to defend against OS, app and QuickTime flaws (15 May 2006)
• Plug pulled on Mac hacking challenge (9 March 2006)
• Apple update fixes 'critical' security bug (2 March 2006)
• Triple threat to Mac OS X largely academic (27 February 2006)
• Sophos in Mac OS X worm false alarm (23 February 2006)
• Apple to 'launch full movie downloads' next week (23 February 2006)
• Mac OS X malware latches onto Bluetooth vulnerability (17 February 2006)
• 'First' Mac OS X Trojan sighted (16 February 2006)
• Patch posted to run Mac OS X 10.4.4 on 'generic PC' (15 February 2006)
• Firefox and Mac security sanctuaries 'under attack' (19 September 2005)
• Symantec false alert floors Macs (10 May 2005)