Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'How to avoid the new 'Help' URL handler vulnerability' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
How to avoid the new 'Help' URL handler vulnerability
Authored by: Han Solo on May 20, '04 11:57:56AM
This looks correct to me, but an easier implementation for some people might be the following single command line instruction (typed in the Terminal), posted on the front page of MacInTouch today:

sudo defaults write /System/Library/CoreServices/Help\ Viewer.app/Contents/Info NSAppleScriptEnabled -bool 'no'
If you are not familiar with Unix conventions, you might miss the space after the slash in "Help\ Viewer" (to escape the space), or the lack of a space between the hyphen and "bool" that represents a boolean switch. HTH!

[ Reply to This | # ]
This disables Help Viewer completely
Authored by: anjoschu on May 21, '04 08:22:36AM

This command sets the permissions on Info.plist to 600 (i.e. no-one can read the Info.plist contents anymore), so that _every_ Launch of Help Viewer fails. You'll have to correct this with this command:

sudo chmod 644 /System/Library/CoreServices/Help\ Viewer.app/Contents/Info.plist

Furthermore, I read that it would still be possible to include a faked Help Viewer application with higher version number in the mounted disk image, so that this one would be activated by the help:-URL. I'm not sure, but to me, changing the help:-Association seems the most secure fix.



[ Reply to This | # ]