Detections
Analytics
7.2.1 Ensure Automatic Opening of Safe Files in Safari Is Disabled
Information
Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari evaluates file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser.Rationale:
Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input.
Impact:
Apple considers many files that the operating system itself auto-executes as 'safe files.' Many of these files could be malicious and could execute locally without the user even knowing that a file of a specific type had been downloaded.
Solution
Profile Method:Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.Safari
The key to include is AutoOpenSafeDownloads
The key must be set to: <false/>
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user.
Additional Information:
To verify individual users:
Audit:
Graphical Method:
Perform the following to verify that safe files are not opened when download in Safari:
Open Safari
Select Safari from the menu bar
Select Preferences
Select General
Verify that Open 'safe' files after downloading is disabled
or
Open System Preferences
Select Profiles
Verify that an installed profile has AutoOpenSafeDownloads set 0
Terminal Method:
Run the following command to verify that opening safe files after download in Safari is disabled:
$ /usr/bin/sudo -u <username> /usr/bin/defaults read /Users/<username>/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads
0
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults read /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads
0
Note: To run the Terminal commands, Terminal must be granted Full Disk Access in
the Security & Privacy pane in System Preferences.
Remediation:
Graphical Method:
Perform the following steps to set safe files to not open after downloading in Safari:
Open Safari
Select Safari from the menu bar
Select Preferences
Select General
Set Open 'safe' files after downloading to disabled
Terminal Method:
Run the following command to disable safe files from not opening when downloaded in Safari:
$ /usr/bin/sudo -u <username> /usr/bin/defaults write /Users/<username>/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false
Note: To run the Terminal commands, Terminal must be granted Full Disk Access in the Security & Privacy pane in System Preferences.
See Also
Item Details
Audit Name: CIS Apple macOS 12.0 Monterey v3.0.0 L1
Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY
References: 800-53|CM-10, 800-53|SC-18, 800-53|SI-3, 800-53|SI-8, CSCv7|7.1, CSCv7|7.9, CSCv7|8.5
Plugin: Unix
Control ID: b26b4543d33bbce9c40fd08a8dfa70cd0e98aa1959f2deb9cdd2f25c9847281a