As you’ve no doubt heard by now, there’s a real, actual, MacOS X vulnerability in the news. And this time it ain’t no proof-of-concept. A rundown of the issue:
- Safari allows you to automagically download and open/run/execute files that Safari considers “safe.” These include PDFs, Disc-Images (.dmg files), Stuffit files, etc.
- The Apple Help viewer application is scriptable via AppleScript.
- There’s a nifty protocol built into MacOS X named “help:” that allows apps or websites to open specific help files when needed.
- AppleScripts can execute shell scripts (but Help’s URL scriptability is limited to commands without spaces – not sure if URL-encoded spaces work in place, my guess is not)
- Since Help allows scripts residing on your hard drive to be run via a specific URL handler (god knows why), a website can automatically run a shell script or other malicious AppleScript via Safari’s cozy relationship with Help using a “help:runscript=Path/To/An/AppleScript.scpt%20string=’Bad-Shit-Goes-Here” href or JavaScript auto-relocate.
- Since Safari can auto-mount disc-images, a website could have you download a DMG that contains a malicious script, auto-mount it, send you to a page to containing a refresh to the “help:” handler that uses Help to execute the script you just downloaded. Whew.
The fix? Download MoreInternet 1.1.1, install it, and set the handler for “help” to Chess or TextEdit, apps that won’t execute scripts automatically via the help protocol. More info available at MacOSXHints.
Apple really dropped the ball on this one. I mean come on, scripts that can be executed when they’re part of a URL? Christ.
Here’s an example of one that lists a directory’s contents. A said above, they can be made to do much more.
UPDATE: Phil says if you’re clicking random links you deserve it.
