The Mac net is a buzz with this news: There is a vulnerability in OS X that is potentially dangerous. When given a correctly structured (and possibly malicious) URL, Safari (and other browsers) can respond by asking the Help Viewer application to execute an AppleScript on a volume that is not the startup disk. When coupled with a disk image’s ability to auto mount after download we have a serious opportunity for a security exploit.
This is very reminiscent of the AutoStart worm from 1998 that took advantage of a security hole in QuickTime 2.0 and used to infect Syquest and Zip cartridges.
The first fix I documented just removed the execute privilege from the Help Viewer executable. This fix is a little more elegant and only disables AppleScript in Help Viewer.
Better fix:
cd /System/Library/CoreServices/Help Viewer.app/Contents
sudo cp Info.plist Info.plist.bck
sudo pico -w Info.plist
- Scroll to the bottom of the document and change the
NSAppleScriptEnabled
entry fromtrue
tofalse
There is a benign example of the exploit that you can use to test your systems.
via: macfantic in MacCentral’s comments