Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'How to avoid the new 'Help' URL handler vulnerability' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
How to avoid the new 'Help' URL handler vulnerability
Authored by: cougar718 on May 20, '04 02:09:49AM
Hello all,

The best solution I found to prevent this vulnerability from taking place is to set the NSApplescriptEnabled property list key inside the Info.plist file of the Help Viewer application to false opposed to true. This will prevent Help Viewer application from running AppleScript.

Note : The instructions below use vi - Feel free to use any text editor you like such as pico.
  1. vi /System/Library/CoreServices/Help\ Viewer.app/Contents/Info.plist
  2. Type /NSApple to have vi search for NSApplescriptEnabled
  3. Use the down arrow to move the cursor to beginning of the word true, which will be in the next line after NSApplescriptEnabled.
  4. Use the 'x' key to delete the word true
  5. Type 'i' key for vi's insert mode
  6. Type false
  7. Hit 'esc' key to exit out of vi's insertion mode.
  8. Type ':x' to have vi automatically save the document and quit.
When you're finished editing the document, it should look like this... [code] NSApplescriptEnabled [/code] More information here on NSAppleScriptEnabled Property List key. Again, I think this is a better fix without needing a 3rd party application.

Rick alias cougar

[ Reply to This | # ]
read this first and save a minute of time
Authored by: marklark on May 20, '04 09:14:57AM

you will probably have to "sudo vi /System/...."



[ Reply to This | # ]
How to avoid the new 'Help' URL handler vulnerability
Authored by: Han Solo on May 20, '04 11:57:56AM
This looks correct to me, but an easier implementation for some people might be the following single command line instruction (typed in the Terminal), posted on the front page of MacInTouch today:

sudo defaults write /System/Library/CoreServices/Help\ Viewer.app/Contents/Info NSAppleScriptEnabled -bool 'no'
If you are not familiar with Unix conventions, you might miss the space after the slash in "Help\ Viewer" (to escape the space), or the lack of a space between the hyphen and "bool" that represents a boolean switch. HTH!

[ Reply to This | # ]
This disables Help Viewer completely
Authored by: anjoschu on May 21, '04 08:22:36AM

This command sets the permissions on Info.plist to 600 (i.e. no-one can read the Info.plist contents anymore), so that _every_ Launch of Help Viewer fails. You'll have to correct this with this command:

sudo chmod 644 /System/Library/CoreServices/Help\ Viewer.app/Contents/Info.plist

Furthermore, I read that it would still be possible to include a faked Help Viewer application with higher version number in the mounted disk image, so that this one would be activated by the help:-URL. I'm not sure, but to me, changing the help:-Association seems the most secure fix.



[ Reply to This | # ]