[Love Calm Quiet]

This morning's MacNN Early Edition has a story about the Safari/OS X / Webcore vulnerability. Without warning the viewer, MacNN has put in a link that links through to a link that EXPLOITS that vulnerability (though causing no harm):

"Apple investigating "extremely critical" flaw
"Apple says it is taking the Mac OS X security vulnerability "very seriously" and...

All you have to do is the "Mac OS X security vulnerability" link and (even though the status bar for the link just shows the MacNN\PHP#) another MacnNN takes you right through to bronosky.com pub/AppleScript.htm ( and activates a link that DOWNLOADS a .dmg, STARTS HelpViewer, OPENS Terminal, and EXECUTES Terminal commands... thus demonstrating the vulnerability.

This raises the problem that (potentially) we cannot trust ANY link (because cannot know what it's linked through to. Given that MacNN has link to bronosky's innocuous script, suppose bronowsky (or whoever) turns out not to be so kindly-minded and decides to take advantage of his visibility to update that script to something malevolent. Immediately MacNN readers to are trying to *learn* about this security flaw are become *victims of it.*

Surfing bulletin boards (where ANYONE can post ANY link) has now become especially dangerous. The more mac-oriented the BB, the more dangerous - because that's where you'd find the people most knowledgeable about exploiting Mac vulnerabilities.

Please explain to me that I'm being overly concerned

PS: and don't we have to be equally concerned about hyperlinks in email - perhaps especially email among members of Mac community - for same reasons?

[Simon]

There is another thread that discusses your questions in detail.

In short: no, you can continue to surf and click links as long as you disable Help.app from being your help protocol handler. I have summarized in this post how you can do this and avoid getting into problems with an easy work-around until Apple fixes this problem in a proper manner.

[macsfromnowon]

Thanks, Simon! Unfortunately, everyone must be DLing More Internet as its 600K is taking forever!

[macsfromnowon]

Simon:
I tried your recommendations:

-------------------
Here's my 1-2-3 suggestion:

Step 1) Download More Internet and use it to set Chess.app as the default helper app for the protocol "help" as noted earlier in this thread

Step 2) Send e-mail to Apple and tell them this needs to be fixed ASAP!

Step 3) Be careful. Do not trust everybody. Think before clicking.
-------------------

But "Chess.app was rejected by More Internet as unsuitable:
"There was a problem setting the app as the helper"

Am I correct that setting any non-sensical app to handle "help" protocols should work to deflect things that ordinarily go to Help Viewer?

[Simon]

Originally posted by macsfromnowon:
But "Chess.app was rejected by More Internet as unsuitable:
"There was a problem setting the app as the helper"

I have no idea why this happened. I set it to use Chess.app and it worked fine. Have you checked your permissions? Maybe you could contact More Internet's author...

Am I correct that setting any non-sensical app to handle "help" protocols should work to deflect things that ordinarily go to Help Viewer?

Yes. The nice thing about using Chess.app is that you notice a malicious attempt should it happen. But in general the helper can be any app that does not share Help Viewer's vulnerability. We know that Chess.app will prevent the exploit. If you chose another app, you must be sure this is true for this app as well.

[Diggory Laycock]

Hi,

I am the author of MoreInternet - I'm sorry that the download is taking so long, but the site is hosted on my DSL, which has become somewhat busy over the last few days!

You can download the disc image much faster through the mirror on my .mac public folder.

As to the problem you are having setting a helper - I have heard of this happening before:

Trash your LaunchServices cache and restart (it should help):

http://www.macosxhints.com/article.p...31215144430486

[macsfromnowon]

Thanks, Diggory,
I did find your .mac source speedy. I also, just used Text Edit as the app to use for any "help" protocol. I assume that should work as well?

[Diggory Laycock]

Yes - Text Edit will work also (only Help Viewer executes scripts via URI) - although as someone else here pointed out, there is a slight benefit of using an unusual program like Chess - it effectively notifies you that you have clicked on a help:// link - whereas an automatic TextEdit launch can easily be missed.

[macbarry]

I have several Macs that I maintain and found that the More Internet pref pane would work perfectly on some but not on others - even after trashing the LaunchServices cache and restarting.

Not sure what the issue is with that but for others who may be having the same problem you might also try the "Don't Go There, GURLfriend 1.0" patch which takes a different approach to fixing the vulnerability and can be found here:

http://isophonic.net/

[CharlesS]

Originally posted by macbarry:
I have several Macs that I maintain and found that the More Internet pref pane would work perfectly on some but not on others - even after trashing the LaunchServices cache and restarting.

Not sure what the issue is with that but for others who may be having the same problem you might also try the "Don't Go There, GURLfriend 1.0" patch which takes a different approach to fixing the vulnerability and can be found here:

http://isophonic.net/

Many have already pointed out that patching the OpnApp.scpt file will not protect against this vulnerability, as it can be used to execute any script, including one on a disk image that says do shell script "rm -rf ~/*".

How about a nice game of chess?

[macbarry]

Thanks for the update. ... OK so back to using More Internet - is that an OS 10.3 app only? The machines having issues with it are running 10.2.8...

[Love Calm Quiet]

I find that after installing and setting More Internet to use some app other than "Help Viewer" for all help protocols that the changes had also been applied to IE - so it sounds like that's a pretty good all-around safeguard for now.

( http://www.monkeyfood.com freeware - thanks Diggory! )

[Diggory Laycock]

Originally posted by macbarry:
Thanks for the update. ... OK so back to using More Internet - is that an OS 10.3 app only? The machines having issues with it are running 10.2.8...

It will run on Jaguar, but Jaguar's Help Viewer does not have the security problem. (I think)

[CharlesS]

Originally posted by Diggory Laycock:
It will run on Jaguar, but Jaguar's Help Viewer does not have the security problem. (I think)

I asked my brother to try this on his 10.2.8 machine the other day, and it did indeed sound like it was able to launch the scripts.

[turtle777]

Originally posted by CharlesS:
Many have already pointed out that patching the OpnApp.scpt file will not protect against this vulnerability, as it can be used to execute any script, including one on a disk image that says do shell script "rm -rf ~/*".

Actually, how do you handle a script with spaces in between ?
Someone in the other thret said that so far, there is no way to do that.

So, afaik, only code with spaces that is already existent on the HD can be executed.

Did I get something wrong ?

-t

[CharlesS]

Originally posted by turtle777:
Actually, how do you handle a script with spaces in between ?
Someone in the other thret said that so far, there is no way to do that.

So, afaik, only code with spaces that is already existent on the HD can be executed.

Did I get something wrong ?

-t

It's impossible to execute a shell script with spaces in it using the OpnApp.scpt. But, you can make your own .scpt with the code I posted above, and put it on the disk image, and do a runscript=../../../Volumes/EvilDiskImage/EvilScript.scpt and go to town. This would be trivial to do - if I were an evil scumbag, I could do it right now. Fortunately, I'm not and I won't, but someone else well may, so like I said before, how about a nice game of chess?

[Dale Sorel]

http://www.unsanity.com/haxies/pa/