Critical security flaw in Mac OS X Help Viewer

Update 2: see John Gruber's page An Ounce of Prevention which is kept updated with the latest information.

Update 1: Apple has released a security update that fixes the flaw within the Help Viewer (released on May 21 but the fix is oddly dated 2004-05-24):

Security Update 2004-05-24 delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following components:



Security firm Secunia has published a security advisory about a critical security flaw in Safari and IE 5.2 the Help Viewer which allows for the execution of scripts in the system with a simple URL, such as this one :

<a href=" string=usr:bin:top">click to run 'top'</a> (test for yourself if you're on Mac OS X, the following link will launch a Terminal window and execute the utility 'top' that shows the running processes: click to run 'top', just press 'q' to quit top then quit the Terminal and the Help Viewer.)

[Via MacMinute and CNet which says that Apple is aware of the issue. Code above from Simon Willison]

P.S.: if you're of the paranoid type you have a few solutions until Apple fixes this flaw:

  • Install Don't Go There GURLFriend! from
  • Install MoreInternet and map the "help:" URI handler to some harmless application such as Chess


Contrary to what the advisory says, it is a bug in the 'help' viewer, and ALL browsers running on OS X10.3 are affected, as they can pass the URL along.

You're right, it works in all browsers which launch Help which in turns executes what's in the URL.

I updated the post and its title to reflect the fact that the flaw isn't one of any browser but related to the Help Viewer (or may be some legacy from InternetConfig code.)

Note to self: another reason why embedding the post title in the URL isn't a good idea!

mensuelles Archives

Recent Entries

  • Steve Jobs

    "Remembering that I’ll be dead soon is the most important tool I’ve ever encountered to help me make the big choices in life. Because...

  • Your privacy on MOTOBLUR by Motorola

    After the Nokia Ovi Store carelessness, it's now Motorola who's allowing strangers to get access to your private information on their MOTOBLUR portal. Exactly like...

  • How to resume a broken ADC download

    (I'm documenting this trick for myself to remember, but it can be useful for others…) Apple, on its Apple Developer Connection site, has a bad...

  • WTF is this ‘myEventWatcherDiv’ doing in my web?

    All of a sudden I started to find the following line in most of the web pages I was browsing, including ones I made where...

  • Your privacy on Nokia Ovi Store

    My friend Adam Greenfield recently complained about the over-engineering culture at Nokia: I was given an NFC phone, and told to tap it against the...