How to avoid the new 'Help' URL handler vulnerability
May 19, '04 10:56:00AM
Contributed by: CarlosD
We debated -- occasionally heatedly -- about the supposed threat from a Trojan horse. As many commenters stated, I believe that the threat was negligible and the Mac online press was overly alarmist about that one. The principles (to me) of what a threat is ... a *true* threat is when:
- You use a trusted application / tool / OS component
- in a common-sense fashion or as-given / as-prescribed / normal configuration and then
- your system is damaged, compromised, or made vulnerable.
Now, there has been revealed a vulnerability in Safari/Help that is very much a threat. I have checked this myself. And all Safari users should change their configuration now. This should be the top story everywhere. Here are the steps to secure your machine:- Turn off "Open 'safe' files after downloading" in the Safari general preferences.
- Download Misfox or MoreInternet (please use this MoreInternet mirror), or some other application which allows you to set your internet helper preferences.
- Set the protocol preference for 'help' to Chess or TextEdit, or something other than the Help application. robg update: This originally said Safari, but Safari is smart enough to hand the URL back to Help, so the exploit still works. I have mine set to TextEdit now, and the test exploits all fail.
This is a severe fault with a very simple exploit. Let's hope Apple fixes this soon.
[robg adds: First, thanks to everyone that sent in fixes -- I probably received five or six different solutions. I chose to publish this one because it seemed to be (a) the simplest to implement, and (b) the one that modified the system the least (not at all, actually). If you have a preferred solution that you'd like to include, please post it as a comment...
I agree with the statement that this is a relatively severe problem with Help -- it's not a Safari problem, but Safari makes it worse by allowing a link to automatically download and mount a disk image without the user's direct approval of the process. This allows an attacker to place their script in a known location for easy running via the Help URL script exposure. If you don't use Safari, you should at least change the Help URL helper application to something else until Apple releases a patch.
Update: Based on the comments and demo, I see that this vulnerability is not dependent on a locally installed script, as it can be used to execute a shell command as well. Thanks for the knowledge!
Finally, there's some good conversation on this issue on today's Macintouch, along with some alternative workarounds.]
Comments (72)
Mac OS X Hints
http://hints.macworld.com/article.php?story=20040517155635846