Update: Fix available from Apple, just do a software update.
There is an ugly vunerablity in Mac OS X. I assume that if you avoid the internet for a day or two Apple will have a patch; but it’s ugly.
The gist is that if the browser visits certain places (which of course a site can trigger with popups, or redirecting) and those places are named in a particular way, then bad things can happen. They can open up the help tool on the Mac. The help tool has a ugly security hole. That hole enables all kinds of bad things.
More tedious explaination…
The Help Viewer can be instructed via a URL to run arbitrary AppleScripts, and hence shell scripts. For example this URL:
help:runscript=../../Scripts/Info Scripts/Current Date & Time.scpt
Much more malicious examples are trivially constructed.
No patch available.
Disable the help: and disk: protocol handlers; by setting them to invoke a more harmless application; for example Chess.
To edit the protocol handler dispatch table you need an additional system preference’s pane; i.e.
“More Internet”. Found here:
More info ... http://secunia.com/advisories/11622/ http://www.jayallen.org/journey/2004/05/mac_os_x_highly_critical_security_flaw http://mamamusings.net/archives/2004/05/18/serious_os_x_security_problem.php http://nielsenhayden.com/makinglight/archives/005217.html#005217
It’s still early in the day, so this will probably unfold further.