Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'How to avoid the new 'Help' URL handler vulnerability' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
How to avoid the new 'Help' URL handler vulnerability
Authored by: osxpounder on May 19, '04 05:31:15PM

One of my userids on one of our Macs will not "take" the change. I even tried using MoreInternet to remove the help entry from the list of protocols. Still, the exploit works, and when I look again in System Preferences>MoreInternet, I see that the Help Viewer settings are always back as they were before I changed anything.

This userid doesn't normally have the rights to even open most Prefs panels, and is not an admin user, of course.

Any ideas what I should check? I need to either secure this userid or delete it and recreate it.

---
--
osxpounder



[ Reply to This | # ]
How to avoid the new 'Help' URL handler vulnerability
Authored by: clindberg on May 19, '04 05:43:53PM
AppleScript itself is used to message an application to accept a URL. You need to have a GURL handler declared in your application's scriptSuite (possibly requiring the name "GetURL"; I'm not sure). Therefore, only real applications that have applescript enabled (and a GURL handler) can be the helper for a URL scheme.

You can use my RCDefaultApp pref pane (as mentioned in a previous reply) to just disable a URL scheme. The internal implementation is to assign it to a simple do-nothing application, which does declare a GURL handler.

[ Reply to This | # ]

MoreInternet changes not taking effect for some userids...
Authored by: osxpounder on May 19, '04 06:13:02PM

... on both Panther and Jaguar boxes. Two of the users [one each on Panther and Jaguar] show different symptoms:

The Panther problem userid's symptom is that the Help protocol's setting keeps reverting back to default immediately.

The Jag user's problem is that the Help protocol disappears from the list, after I make the change in MoreInternet.

Both users remain vulnerable, so I locked them out for now.

Anyway, view that as a warning: double-check that all your userids do, indeed, reflect the change after quitting System Preferences.

Would RCDefaultApp be likely to work in this case, you think?

---
--
osxpounder



[ Reply to This | # ]
MoreInternet changes not taking effect for some userids...
Authored by: clindberg on May 19, '04 06:22:32PM

Yes, RCDefaultApp should work. There is no real way to "remove" a mapping; as long as LaunchServices knows of an application that can handle a URL scheme, it will use it. There are ways to kill all of the user-set mappings, but I would think that all Apple-provided default helpers get re-added.

RCDefaultApp "disables" schemes by assigning them to a real application that does nothing with them. It runs in the background (then exits) so you never see it. Since it's a real application, the setting should remain, and it's easy to change back to Helper Viewer when/if Apple fixes the vulnerability. I am fairly certain that MoreInternet does not work this way.



[ Reply to This | # ]