6.3 Ensure Automatic Opening of Safe Files in Safari Is Disabled

Information

Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari evaluates file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser.

Rationale:

Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input.

Impact:

Apple considers many files that the operating system itself auto-executes as 'safe files.' Many of these files could be malicious and could execute locally without the user even knowing that a file of a specific type had been downloaded.

Solution

Perform the following to set safe files to not open after downloading in Safari:
Graphical Method:

Open Safari

Select Safari from the menu bar

Select Preferences

Select General

Uncheck Open 'safe' files after downloading

Terminal Method:
Run the following command to disable safe files from not opening in Safari:

$ sudo -u <username> /usr/bin/defaults write /Users/<username>/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false

example:

$ sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false

Note: To run the Terminal commands, Terminal must be granted Full Disk Access in the Security & Privacy pane in System Preferences.
Profile Method:

Create or edit a configuration profile with the PayLoadType of com.apple.Safari

Add the key Forced

Set the key to the following:

<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>AutoOpenSafeDownloads</key>
<false/>
</dict>
</dict>
</array>

See Also

https://workbench.cisecurity.org/files/3569

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18(4), CSCv7|8.5

Plugin: Unix

Control ID: e8fade92832373249451884294c536ca3ce9264fbf8c97271690c64691df0335