Critical security flaw in Mac OS X Help Viewer

Publié le :

Update 2: see John Gruber's page An Ounce of Prevention which is kept updated with the latest information.

Update 1: Apple has released a security update that fixes the flaw within the Help Viewer (released on May 21 but the fix is oddly dated 2004-05-24):

Security Update 2004-05-24 delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following components:

HelpViewer

--

Security firm Secunia has published a security advisory about a critical security flaw in Safari and IE 5.2 the Help Viewer which allows for the execution of scripts in the system with a simple URL, such as this one :

<a href="help:runscript=MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scpt string=usr:bin:top">click to run 'top'</a> (test for yourself if you're on Mac OS X, the following link will launch a Terminal window and execute the utility 'top' that shows the running processes: click to run 'top', just press 'q' to quit top then quit the Terminal and the Help Viewer.)

[Via MacMinute and CNet which says that Apple is aware of the issue. Code above from Simon Willison]

P.S.: if you're of the paranoid type you have a few solutions until Apple fixes this flaw:

  • Install Don't Go There GURLFriend! from isophonic.net
  • Install MoreInternet and map the "help:" URI handler to some harmless application such as Chess