Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'How to avoid the new 'Help' URL handler vulnerability' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
How to avoid the new 'Help' URL handler vulnerability
Authored by: Spades on May 19, '04 01:20:49PM
I think it should be made perfectly clear what the right way to fix this is. You want to use Misfox or MoreInternet to change the help protocol helper. Remote execution of scripts via a url reference is the core defect. Disabling opening of "safe" files and modifying the OpnApp script do not make you safe. They are bandages for a broken leg.

To be sure that you are safe, use Misfox or MoreInternet as stated in the hint, or make sure the fix you are given specifically changes the help protocol helper. If you're not sure, do not trust that the fix you are given is performing the correct changes! And of course don't use a "fix" you got from an e-mail either.

By the way, when Apple does release a fix for this problem (assuming it's the right fix), you can change the help protocol helper back to:

/System/Library/CoreServices/Help Viewer.app

Yes, you will want to change it back. Some parts of help probably aren't going to work right while your help protocol helper is set to a different application.

[ Reply to This | # ]
How to avoid the new 'Help' URL handler vulnerability
Authored by: binkley on May 19, '04 02:05:31PM

Erm, can't you just use the "protocol helpers" preference option in Internet Explorer? I hate Microsoft and all, but that's easier than downloading a second app.



[ Reply to This | # ]
How to avoid the new 'Help' URL handler vulnerability
Authored by: rofl on May 19, '04 02:10:11PM

another good helper to stop those maleware:

http://isophonic.net/



[ Reply to This | # ]
How to avoid the new 'Help' URL handler vulnerability
Authored by: Spades on May 19, '04 03:24:29PM

That's actually the application that inspired my post. Every indication is that it just modifies OpnApp.scpt, which is the wrong fix. I don't see anything that says this changes the help protocol helper, which is the right way to deal with this. I don't mean to knock the efforts of the people that made that, and if it does make the helper change, please correct me. But, the critical defect is the runscript part of help urls, and this program does not look like a valid workaround for the defect.



[ Reply to This | # ]
How to avoid the new 'Help' URL handler vulnerability
Authored by: Spades on May 19, '04 03:13:57PM

I forgot that IE exists for Macs. I never knew that option was there. I guess that works too.



[ Reply to This | # ]
How to avoid the new 'Help' URL handler vulnerability
Authored by: roncross@cox.net on May 20, '04 12:08:33AM

Thanks for the advice. I opened Internet Explorer and pointed the protocol helper toward chess. I went to the website at

http://bronosky.com/pub/AppleScript.htm

This just opened the chess application. The question that I have is now that the helper in the protocol is pointing toward chess.app. Do I still need to turn off "Open 'safe' files after downloading" in the Safari general preferences.

thx
RLC

---
rlc



[ Reply to This | # ]