Re: disk:// and help:// security problems
Re: disk:// and help:// security problems
- Subject: Re: disk:// and help:// security problems
- From: Gwynne <email@hidden>
- Date: Mon, 17 May 2004 19:29:06 -0400
On May 17, 2004, at 6:23 PM, Peter Wollschlaeger wrote:
�http://forums.macnn.com/showthread.php?
s=&threadid=213043&perpage=50&pagenumber=1
Deleting or modifying the OpnApp.scpt doesn't protect from this
vulnerability
� Deleting the MacHelp.help doesn't protect from this vulnerability
� Deleting the help protocol with MisFox doesn't protect from this
vulnerability
� Changing the help protocol to something else than Help Viewer (I use
Chess) seems to help
As a programmer I would say it's not a bug it's a feature.
If you don't like it, just turn it off ("Open 'safe' files after
download").
And pay attention to rule 1: Never download from a source you can't
trust.
With apologies to all for the cross-post...
Turning off that option is NOT sufficient to prevent the exploit. Read
through the discussion thread; this is a serious issue with OS X. The
help:runscript feature is absolutely a feature, and is probably
intended as a replacement for Apple Guide automation; however, it
should have been implemented in Help Viewer, not WebCore/WebKit.
-- Gwynne, key to the Code that runs us all
Formerly known as Sailor Quasar.
Email: email@hidden
Web:
http://musicimage.plasticchicken.com/
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.