Simon Willison’s Weblog

Defending against the OS X help: vulnerability

There’s a nasty OS X vulnerability under discussion at the moment which lets a web page execute code on your machine by taking advantage of a flaw in the “help:” protocol. There’s a non-malicious demonstration of the exploit on this page, and Jay Allen is hosting a discussion on the exploit and ways to avoid it.

To save you from digging through the discussion, the quickest way to defend yourself is to install the More Internet preference pane (mount the DMG, then copy the More Internet.prefPane file to your /Library/PreferencePanes folder or run the “install prefpane” script). Then go to system preferences, launch the “More Internet” panel, select the “help” protocol and use the Change button to assign it to some non-harmful application such as Chess (simply deleting the protocols will not solve the problem). While you’re there it’s a good idea to add a new protocol called “disk” and assign it to a non-harmful application as well—this prevents malicious sites from being able to auto-mount networked disk images on your system, something which while not exploitable on its own can be used in conjunction with other exploits (like the help: one) to execute arbitrary code.

For those who are interested, it seems the exploit itself is as simple as this:

<a href="help:runscript=MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scpt string=usr:bin:top">click to run 'top'</a>