new venerability on macosxhints through Safari
new venerability on macosxhints through Safari
- Subject: new venerability on macosxhints through Safari
- From: roncross <email@hidden>
- Date: Wed, 19 May 2004 13:16:46 -0700
www.macosxhints.com
How to avoid the new 'Help' URL handler vulnerability
Wed, May 19 '04 at 10:56AM from: CarlosD
[demime 0.98b removed an attachment of type image/gif which had a name of rg-system.gif]
[demime 0.98b removed an attachment of type image/gif which had a name of pixel.gif]
[demime 0.98b removed an attachment of type image/gif which had a name of pixel.gif]
[demime 0.98b removed an attachment of type image/gif which had a name of pixel.gif]
We debated -- occasionally heatedly -- about the supposed threat from a
Trojan horse. As many commenters stated, I believe that the threat was
negligible and the Mac online press was overly alarmist about that one.
The principles (to me) of what a threat is ... a *true* threat is when:
1. You use a trusted application / tool / OS component
2. in a common-sense fashion or as-given / as-prescribed / normal
configuration and then
3. your system is damaged, compromised, or made vulnerable.
Now, there has been revealed a vulnerability in Safari/Help that is
very much a threat. I have checked this myself. And all Safari users
should change their configuration now. This should be the top story
everywhere. Here are the steps to secure your machine:
1. Turn off "Open 'safe' files after downloading" in the Safari
general preferences.
2. Download Misfox or MoreInternet (please use this MoreInternet
mirror), or some other application which allows you to set your
internet helper preferences.
3. Set the protocol preference for 'help' to Chess or TextEdit, or
something other than the Help application. robg update: This originally
said Safari, but Safari is smart enough to hand the URL back to Help,
so the exploit still works. I have mine set to TextEdit now, and the
test exploits all fail.
This is a severe fault with a very simple exploit. Let's hope Apple
fixes this soon.
[robg adds: First, thanks to everyone that sent in fixes -- I probably
received five or six different solutions. I chose to publish this one
because it seemed to be (a) the simplest to implement, and (b) the one
that modified the system the least (not at all, actually). If you have
a preferred solution that you'd like to include, please post it as a
comment...
I agree with the statement that this is a relatively severe problem
with Help -- it's not a Safari problem, but Safari makes it worse by
allowing a link to automatically download and mount a disk image
without the user's direct approval of the process. This allows an
attacker to place their script in a known location for easy running via
the Help URL script exposure. If you don't use Safari, you should at
least change the Help URL helper application to something else until
Apple releases a patch.
Update: Based on the comments and demo, I see that this vulnerability
is not dependent on a locally installed script, as it can be used to
execute a shell command as well. Thanks for the knowledge!
Finally, there's some good conversation on this issue on today's
Macintouch, along with some alternative workarounds.]
______________________________________________
thanks
Ronald Cross
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.