Slashdot Mirror
Safari Falls Victim to Remote Code Exploit
A user writes, "A new vulnerability has been found in Mac OS X's Safari, which will launch Help.app and run an arbitrary script with a URL like 'help:runscript=...', assuming a known path (which is possible when Safari is set to automount disk images (which is the default)). A nice working demonstration is available on insecure.ws while the incident has been reported on Full-Disclosure."
can someone please explain how this exploit made it into the browser. This seems so blindingly obvious. In fact, this seems like intended behavior.
Photos.
Nor any other user's work. In fact, if you make a user just for possibly unsafe stuff you're pretty well protected. And with fast user switching it's a breeze.
this exploit also works in Camino as far as I can tell (although I didn't have it set to automount images) using recenet nightly build. I also tried it in IE and it was able to open Help.app without problems..
I have not been able to recreate this exploit in OS X 10.2.8.
Apparently, only versions 10.3.x are affected.
Karma: Chevy Kavalierma.
I wonder if this is possible from OS X mail also. Mail uses webcore to render html and probably shares some settings. The downloading of the dmg is provoked by a meta tag, so unless mail strips meta info from e-mail then this could affect mail as well. That eventuality could potentially be a much larger issue than the current method of execution. Especially since mail will render html and images unless the mail is marked junk.
You would have to specifically modify the system and, if you know enough to do that, then you get what is coming to you for modifying it.
Seriously, this is kind of like saying "well, this exploit could erase someone's entire hard drive on a linux system if they were running their web browser as root."
Factually true but completely irrelevant.
For the default install this is a problem, but try not to blow it out of proportion by inventing scenarios to make it more serious.
Integrate Keynote and LaTeX
I knew there was a reason that the word 'safe' was quoted in the General tab in Safari's preferences. I guess that same reason is why deselected it...
This doesn't solve the problem, I know, but does lessen it's severity somewhat.
So if the script does Won't it delete my backup, too?
I think so, but I'm not going to test it and find out.
I thought backing up to a HDD was supposed to be a better idea than using those unreliable CD-R/DVD-R discs. Now I'm not so sure. (I guess I'd better get a tape drive?)
It occurs to me that this problem could be broader than is being portrayed.
Consider: the fundamental issue here is that an OSX web browser -- Safari in the original reports, but apparently also Mozilla etc -- is acting as a broker for any URI that the user may come across, delegating the request out to external handler programs. Whether those external programs handle their URIs safely may be an open question.
The problem isn't really that Safari or Help is broken, but that the interaction between them, arising from the URI handling mechanism on OSX, is leading to Unintended Consequences.
OSX can handle many different URI namespaces, some of which seem to be used nowhere other than OSX. I'm having a hard time finding an exhaustive list of the URI protocols that OSX supports, but a partial list includes, in no particular order:
So far, I can think of published vulnerabilities in the telnet:// and now help:// protocols, but is that the end of it, or is the whole framework vulnerable to these sorts of attacks?
I have a hunch that we're just seeing the thin edge of the wedge...
DO NOT LEAVE IT IS NOT REAL