Feed Sign in with OpenID OpenID

Simon Willison’s Weblog

Defending against the OS X help: vulnerability

There’s a nasty OS X vulnerability under discussion at the moment which lets a web page execute code on your machine by taking advantage of a flaw in the “help:” protocol. There’s a non-malicious demonstration of the exploit on this page, and Jay Allen is hosting a discussion on the exploit and ways to avoid it.

To save you from digging through the discussion, the quickest way to defend yourself is to install the More Internet preference pane (mount the DMG, then copy the More Internet.prefPane file to your /Library/PreferencePanes folder or run the “install prefpane” script). Then go to system preferences, launch the “More Internet” panel, select the “help” protocol and use the Change button to assign it to some non-harmful application such as Chess (simply deleting the protocols will not solve the problem). While you’re there it’s a good idea to add a new protocol called “disk” and assign it to a non-harmful application as well—this prevents malicious sites from being able to auto-mount networked disk images on your system, something which while not exploitable on its own can be used in conjunction with other exploits (like the help: one) to execute arbitrary code.

For those who are interested, it seems the exploit itself is as simple as this:

<a href="help:runscript=MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scpt string=usr:bin:top">click to run 'top'</a>

Posted 18th May 2004 at 9:02 pm

This is Defending against the OS X help: vulnerability by Simon Willison, posted on 18th May 2004.

Tagged ,

View blog reactions

Next: Atom discussion minutes

Previous: Supplemental Results

10 comments

  1. Is it just me, or this at least as ignorant as MS Outlook running arbitrary JS in emails not so long ago?

    There is a theory that Windows security is perceived to be so bad largely because it dominates the space, and presents a useful target, both in terms of infection and replication, rather than being actually inferior.

    This sort of thing really lends creedance to the idea.

    <a href="exec:data:arbitrary assembly" > doesn't seem too far off from this.

    Jeremy Dunck - 18th May 2004 21:48 - #

  2. Is it just me, or this at least as ignorant as MS Outlook running arbitrary JS in emails not so long ago?

    If you ask me, it absolutely is.

    Jay Allen - 19th May 2004 04:06 - #

  3. "This sort of thing really lends creedance to the idea" What were you thinking? You evaluate ideas based on what you want to believe in, of course apple's small marketshare make it less likely to get attacked. I am suprised that this problem was discovered in the first place. Your attitude towards denying security issues in Apple is a good sign of not switching to Apple at all, since Apple denies the critical security problems just like you.

    Jeremy - 19th May 2004 20:49 - #

  4. It appears you didn't read my comment very closely.

    Jeremy Dunck - 19th May 2004 22:15 - #

  5. At last Simon has bashed something that's not in any was related to Microsoft. Happy day! By the way, I just got a Microsoft "Smart Phone" from Orange and installed the patch on www.orange.co.uk It completely busted the firmware and now I need a replacement phone. Hoped you might enjoy that! :-)

    Chris Beach - 19th May 2004 23:01 - #

  6. The more sinister version uses Safari's "automatically open safe file types" to mount a .dmg file that the page sends you, then runs a script off that - /Volumes/imgname/scriptname is pretty consistent.

    Changing the help:// will pretty much solve both problems, although also turning off Safari's "open safe d/ls" helps tighten things up a bit too.

    Matt Wilson - 19th May 2004 23:12 - #

  7. Unsanity has also released a very elegant little App-enhancer plugin appropriately called Paranoid Android that intercepts any URL schemes and prompts you for comfirmation. A better solution than the MoreInternet one, in my opinion. (PA requires that Application Enhancer be installed; both are free.)

    la1itree - 21st May 2004 01:15 - #

  8. http://daringfireball.net/2004/05/unsafe_uri_handl ers

    jc - 21st May 2004 15:26 - #

  9. This has know been fixed with

    Security Update 2004-05-24 --Fixed: HelpViewer "runscript" vulnerability

    and

    Security Update 2004-06-07 --Fixed: DiskImages, LaunchServices, Safari & Terminal

    Mac OS X will now present an approval alert when an application is to be run for the first time either by opening a document or clicking on a URL related to the application.

    http://www.info.apple.com/kbnum/n61798

    Tim Rutter - 24th June 2004 09:36 - #

  10. Dark bread makes cheeks red, white bread makes people dead.

    Kolin - 26th August 2006 22:25 - #

Comments are closed.

Previously hosted at http://simon.incutio.com/archive/2004/05/18/defending

A django site