Well, this whole topic has been beaten to death, so I will attempt to minimize my contribution.

Apple’s Security Update 2004-05-24 eliminates the need for my Help Viewer hack (see below). However it doesn’t close all of the URI scheme holes.

For details on that topic I’ll send you over to John Gruber at Daring Fireball.

Right! Now back to our regular scheduled programming..

The Mac net is a buzz with this news: There is a vulnerability in OS X that is potentially dangerous. When given a correctly structured (and possibly malicious) URL, Safari (and other browsers) can respond by asking the Help Viewer application to execute an AppleScript on a volume that is not the startup disk. When coupled with a disk image’s ability to auto mount after download we have a serious opportunity for a security exploit.

This is very reminiscent of the AutoStart worm from 1998 that took advantage of a security hole in QuickTime 2.0 and used to infect Syquest and Zip cartridges.

The first fix I documented just removed the execute privilege from the Help Viewer executable. This fix is a little more elegant and only disables AppleScript in Help Viewer.

Better fix:

• cd /System/Library/CoreServices/Help Viewer.app/Contents
• sudo cp Info.plist Info.plist.bck
• sudo pico -w Info.plist
• Scroll to the bottom of the document and change the NSAppleScriptEnabled entry from true to false

There is a benign example of the exploit that you can use to test your systems.

via: macfantic in MacCentral’s comments

Fix:

sudo chmod 444 /System/Library/CoreServices/Help\ Viewer.app/Contents/MacOS/Help\ Viewer

Break again:

sudo chmod 755 /System/Library/CoreServices/Help\ Viewer.app/Contents/MacOS/Help\ Viewer

Untill something better comes along