Slashdot Mirror
Yet Another Mac OS X Protocol Handler Exploit
Rosyna writes "Apple just can't get any breaks lately. First the help protocol handler exploit (which has been fixed), then the telnet handler exploit, and now an exploit for any arbitrary protocol handler: make your own, then exploit it. You can auto mount a volume in Mac OS X via the disk, afp, or ftp handlers (and probably others). Paranoid Android will help prevent exploitation until Apple fixes the problem." The hole here is that when a volume with an application on it is mounted, Apple registers the application's specified protocol handlers, without additional user action. Another option is to disable those handlers that allow volume mounting, but playing that game, obviously, isn't a guaranteed win in the long run.
Apple just can't get any breaks lately.
You make it sound as if this is something that people are doing to Apple or that is like a natural disaster.
It is not. If any manufacturer ships software with security holes, it is that manufacturer's choice: they are trading off security against faster shipment and better (=more expensive) software engineering practices.
And the public relations fallout is also Apple's responsibility: it is, after all, Apple that positioned their system in their paid ads as supposedly "more secure".