Bleck: Mac OS X vunerablity

Update: Fix available from Apple, just do a software update.

There is an ugly vunerablity in Mac OS X. I assume that if you avoid the internet for a day or two Apple will have a patch; but it’s ugly.

The gist is that if the browser visits certain places (which of course a site can trigger with popups, or redirecting) and those places are named in a particular way, then bad things can happen. They can open up the help tool on the Mac. The help tool has a ugly security hole. That hole enables all kinds of bad things.

More tedious explaination…

The Help Viewer can be instructed via a URL to run arbitrary AppleScripts, and hence shell scripts. For example this URL:

       help:runscript=../../Scripts/Info Scripts/Current Date & Time.scpt

Much more malicious examples are trivially constructed.

No patch available.

Work around…
Disable the help: and disk: protocol handlers; by setting them to invoke a more harmless application; for example Chess.

To edit the protocol handler dispatch table you need an additional system preference’s pane; i.e.
“More Internet”. Found here:

More info ...

It’s still early in the day, so this will probably unfold further.

Leave a Reply

Your email address will not be published. Required fields are marked *