Re: new venerability on macosxhints through Safari
Re: new venerability on macosxhints through Safari
- Subject: Re: new venerability on macosxhints through Safari
- From: Sander Tekelenburg <email@hidden>
- Date: Thu, 20 May 2004 07:14:34 +0200
At 13:16 -0700 UTC, on 2004/05/19, roncross wrote:
>
www.macosxhints.com
[...]
>
I agree with the statement that this is a relatively severe problem
>
with Help -- it's not a Safari problem, but Safari makes it worse by
>
allowing a link to automatically download and mount a disk image
>
without the user's direct approval of the process.
You don't need to be using Safari to fall prey to this exploit. The only
thing worse about this hole is the bad information being spread. Every single
website's story on this issue that I've seen is either completely wrong or
misleadingly incomplete, resulting in people applying fixes that at best will
give a false sense of security.
My attempt at separating nonsense from fact is at
<
http://www.euronet.nl/~tekelenb/playground/security/diskURLscheme/>.
Explanation how it works, proof of concept, and advice on how to protect
yourself.
[...]
>
Update: Based on the comments and demo, I see that this vulnerability
>
is not dependent on a locally installed script, as it can be used to
>
execute a shell command as well. Thanks for the knowledge!
Not that I'm aware of. All it can do is open a file. If that file is an
executable, than it will do whatever it is programmed to do on launch. No
different than double clicking a file in the Finder.
As to how on topic this is here: some of the suggested fixes are to replace
the OpnApp.scpt with an AS script that does a more robust sanity check. I
have doubts that a good solution can be found on that path (if only because
on my machine there are 314 copies of that file), but perhaps the joint
effort of some creative and experienced scripters can do some good. It's
being tried over at MACSCRPT already.
--
Sander Tekelenburg, <
http://www.euronet.nl/~tekelenb/>
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.