Safari Falls Victim to Remote Code Exploit
A user writes, "A new vulnerability has been found in Mac OS X's Safari, which will launch Help.app and run an arbitrary script with a URL like 'help:runscript=...', assuming a known path (which is possible when Safari is set to automount disk images (which is the default)). A nice working demonstration is available on insecure.ws while the incident has been reported on Full-Disclosure."
1. YOUR submission was incorrect! This vulnerability works in ALL browsers!
2. The workaround IS a goddamn workaround and IT DOES work, and IT DOESN't disable help! Jesus almighty, try it out, it merely disable running help from the browser, not running help from an application.
3. Apple was warned TWO MONTHS ago about this vulnerability! It was openly published on Heise on Saturday. It was all over Mac forums in Germany and the US over the weekend.
4. Since it was openly known (and with no response from Apple for two months), you nice bright guy, I decided to submit a COMPLETE story with a working workaround (it really does work pudge) in order to help Mac users protect themselves, not because of wanting to be in anyone's highlights.
I am going to mail Taco about this pudge. You are guilty, IMO, of neglecting a very serious security vulnerability on OSX, and then neglecting to actually check the facts and then finally post a story that does only helps the knowledge of the exploit spread but with no help to users, and that soley because YOU do not agree with a FACT (it was already known). Disgusting.