May 19, '04 10:56:00AM • Contributed by: CarlosD
- You use a trusted application / tool / OS component
- in a common-sense fashion or as-given / as-prescribed / normal configuration and then
- your system is damaged, compromised, or made vulnerable.
- Turn off "Open 'safe' files after downloading" in the Safari general preferences.
- Download Misfox or MoreInternet (please use this MoreInternet mirror), or some other application which allows you to set your internet helper preferences.
- Set the protocol preference for 'help' to Chess or TextEdit, or something other than the Help application. robg update: This originally said Safari, but Safari is smart enough to hand the URL back to Help, so the exploit still works. I have mine set to TextEdit now, and the test exploits all fail.
[robg adds: First, thanks to everyone that sent in fixes -- I probably received five or six different solutions. I chose to publish this one because it seemed to be (a) the simplest to implement, and (b) the one that modified the system the least (not at all, actually). If you have a preferred solution that you'd like to include, please post it as a comment...
I agree with the statement that this is a relatively severe problem with Help -- it's not a Safari problem, but Safari makes it worse by allowing a link to automatically download and mount a disk image without the user's direct approval of the process. This allows an attacker to place their script in a known location for easy running via the Help URL script exposure. If you don't use Safari, you should at least change the Help URL helper application to something else until Apple releases a patch.
Update: Based on the comments and demo, I see that this vulnerability is not dependent on a locally installed script, as it can be used to execute a shell command as well. Thanks for the knowledge!
Finally, there's some good conversation on this issue on today's Macintouch, along with some alternative workarounds.]
