OS X alert: Help Viewer/browser security vulnerability

Go take care of this. If you find the "More Internet" preference pane disk image slow to D/L, go to the alternate mirror site and get it. Follow the instructions on the page linked below.

(via MacFixit and other sources...)

http://www.macfixit.com/article.php?story=20040519024257161

"We previously reported a potential vulnerability in OS X relating to browsers' use of the help URL protocol. Although this was originally reported by many sources as a Safari vulnerability, it's actually exploitable through any browser that properly supports URLs that include the "help" protocol (e.g., a URL that begins with http://) -- which should be any browser that fully supports OS X's default application helper settings. In fact, through the use of meta "refresh" tags in the source of a Web page, the vulnerability can be exploited without a user even clicking on a "malicious" link."

"In addition, although the original reports around the Web noted the use of Safari's ability to auto-mount disk images -- followed by a help URL that uses Help Viewer's ability to execute AppleScripts, in order to run a malicious script located on the mounted disk image -- this is only one way in which a help URL could be used to cause damage to a user's data."

Thanks µ,
I just really hate running patches from third party sites. Don't you think this should be an Apple security update? I now the source you gave is trusted but there are so many false patch links (windows, i.e. mainly) it makes you nervous about any of them ;)

I'd never post something like that without a thorough investigation first.

That's a trustworthy site, and you have an extra measure of safety because the referral came from ME!

so refreshing to see that windows isnt the only shoddy os out there...now if only this could happen a bit more often it would reassure me that my wintendo is awesome.

Pfft. This is a theoretic vulnerability. No one has actually been affected by it yet. As opposed to the hundreds and hundreds of thousands of people affected by Windows vulnerabilities.

Not saying it can't happen on Macs, but it isn't right now.

[QUOTE=Axiom]so refreshing to see that windows isnt the only shoddy os out there...now if only this could happen a bit more often it would reassure me that my wintendo is awesome.[/QUOTE]

Keep dreaming ;)

And thanks U23...

[QUOTE=deker]Pfft. This is a theoretic vulnerability. No one has actually been affected by it yet. As opposed to the hundreds and hundreds of thousands of people affected by Windows vulnerabilities.

Not saying it can't happen on Macs, but it isn't right now.[/QUOTE]


Tell you what...convince Adobe and the guy who makes TopStyle to port their software over to linux, and I will gladly sell my win32 photoshop and topstyle licenses and fire up my debian install disks.

As much as I would love to, I can't afford to buy a mac then buy the new software that I would need to run on it. I have become quite attached to topstyle, have even swapped homesite5 out for it...I couldnt live without it. Unfortunatly, GIMP is not a very good alternative to Photoshop :(

A "lot" of software vendors will send you free Mac versions of your PC software.
And BBEdit is a great authoring program or dreamweaver.

Adobe screwed me over because I got my Mac when CS just came out. They said there were no more 7.0 versions and I had to pay for the upgrade.... No more 7.0 versions/cd's, yeah sure. Whatever. Adobe sucks at customer service. Macromedia kicks ass. Adobe should take a lesson from them. Just my 2 cents.

[QUOTE=pank]A "lot" of software vendors will send you free Mac versions of your PC software.
And BBEdit is a great authoring program or dreamweaver.

Adobe screwed me over because I got my Mac when CS just came out. They said there were no more 7.0 versions and I had to pay for the upgrade.... No more 7.0 versions/cd's, yeah sure. Whatever. Adobe sucks at customer service. Macromedia kicks ass. Adobe should take a lesson from them. Just my 2 cents.[/QUOTE]

I never really needed dreamweaver. For home use, it's too clunky for my needs. I finally convinced my boss I need it at work though. It's good to have a tool that can manage 15,000+ pages. At home, I never have that much.

all I have is a photoshop 6 cd and the photoshop 7 upgrade, so i'd probably be in the same ship you are.

Here's some more security info. This addresses some security holes that Apple hasn't addressed with its most recent security update.

I got and installed the suggested preference pane (RCDefaultApp), setting telnet protocol to <disabled>. Took about 2 minutes.

http://daringfireball.net/2004/05/telnet_protocol
http://www.rubicode.com/Software/RCDefaultApp/