Yet Another Mac OS X Protocol Handler Exploit

Rosyna writes "Apple just can't get any breaks lately. First the help protocol handler exploit (which has been fixed), then the telnet handler exploit, and now an exploit for any arbitrary protocol handler: make your own, then exploit it. You can auto mount a volume in Mac OS X via the disk, afp, or ftp handlers (and probably others). Paranoid Android will help prevent exploitation until Apple fixes the problem." The hole here is that when a volume with an application on it is mounted, Apple registers the application's specified protocol handlers, without additional user action. Another option is to disable those handlers that allow volume mounting, but playing that game, obviously, isn't a guaranteed win in the long run.

How this hole was discovered

[mst76]

This issue was discovered on the MacNN forum, when they were discussing the previous exploit. The accepted workaround was downloading one of the utilities to change the protocol helpers, but the user kampl refused to have any non-Apple "security fix" on his system (He never acknowledged that the utilities were not sucurity fixes at all, just tools to change user preferences). His solution was to delete the HelpViewer app from his system. One bright member of the forum pointed out that that isn't enough, you could probably just stick the HelpViewer on the .dmg image and LaunchServices would find it there. Another poster realized this might work for any application if you bind it to a bogus protocol in the Info.plist file, so there is no need for HelpViewer at all. A third poster had a sample exploit coded in no time. Apple was promptly notified, so we can expect another fix soon (hopefully).