May 19, 2004

Mac Security problem

If you have a Macintosh running OSX, you have a problem. Deal with it right now. Today. Seriously.

Summary and Remedy.

I'm getting this from Making Light, who's trustworthy. Go to her place and read the rest, including more links and discussion. This appears to be serious. Apparently it can invoke Apple's Help program, which gives rise to horrifying potentialities.

Here's what Jay Allen (of MT-Blacklist fame) says about this in Teresa's comments:

"It is possible to write a URL that, when invoked from one’s default browser, invokes Apple’s Help program, which is itself a mini-browser which uses a subset of HTML. The trouble is that unlike a well-written, full-fledged, OSX browser, the Help program is (a.) fully scriptable; and (b.) fully capable of running any application or command for which the user has privileges."

That is a pretty damn near perfect laymen's explanation.

"This is where “rm -rf” and other nightmares come in. "

Well, I actually, that's where we're "lucky". Due to a technical restriction, the command actually can't have any spaces in it. Thank God for small miracles.

However, just before kicking off the help:// link, the malicious web page could launch a send your browser a "disk://..." URI which would download, say, a disk image to you which would be automatically mounted on your desktop (with or without the safe files checkbox checked mind you) and containing a shell script or Applescript contained inside with exactly the same instructions (Delete what you can).

After THAT, the browser would send the "help://" URI with the path to the script in the mouted diskimage on your desktop.

Roundabout for sure, but not too hard to create. THAT'S what scares me so much.

Posted by Linkmeister at May 19, 2004 12:05 AM
Comments

I've been searching for more information and I just can't seem to find out if OS X 10.1.5 is affected. Seems like everyone in the world is running at least 10.2. I can get the help app to open but it goes nowhere/does nothing. Just sits there. Hmph. Thanks for the news, though!

Posted by: bunny at May 21, 2004 01:38 PM