Critical security flaw in Mac OS X Help Viewer
Update 2: see John Gruber's page An Ounce of Prevention which is kept updated with the latest information.
Update 1: Apple has released a security update that fixes the flaw within the Help Viewer (released on May 21 but the fix is oddly dated 2004-05-24):
Security Update 2004-05-24 delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following components:
HelpViewer
--
Security firm Secunia has published a security advisory about a critical security flaw in Safari and IE 5.2 the Help Viewer which allows for the execution of scripts in the system with a simple URL, such as this one :
<a href="help:runscript=MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scpt string=usr:bin:top">click to run 'top'</a> (test for yourself if you're on Mac OS X, the following link will launch a Terminal window and execute the utility 'top' that shows the running processes: click to run 'top', just press 'q' to quit top then quit the Terminal and the Help Viewer.)
[Via MacMinute and CNet which says that Apple is aware of the issue. Code above from Simon Willison]
P.S.: if you're of the paranoid type you have a few solutions until Apple fixes this flaw:
- Install Don't Go There GURLFriend! from isophonic.net
- Install MoreInternet and map the "help:" URI handler to some harmless application such as Chess
0 TrackBacks
Listed below are links to blogs that reference this entry: Critical security flaw in Mac OS X Help Viewer.
TrackBack URL for this entry: http://padawan.info/cgi-bin/mt/mt-trckbck.cgi/917
Contrary to what the advisory says, it is a bug in the 'help' viewer, and ALL browsers running on OS X10.3 are affected, as they can pass the URL along.
You're right, it works in all browsers which launch Help which in turns executes what's in the URL.
I updated the post and its title to reflect the fact that the flaw isn't one of any browser but related to the Help Viewer (or may be some legacy from InternetConfig code.)
Note to self: another reason why embedding the post title in the URL isn't a good idea!