Exploit 2:

The Mac net is a buzz with this news: There is a vulnerability in OS X that is potentially dangerous. When given a correctly structured (and possibly malicious) URL, Safari (and other browsers) can respond by asking the Help Viewer application to execute an AppleScript on a volume that is not the startup disk. When coupled with a disk image’s ability to auto mount after download we have a serious opportunity for a security exploit.

This is very reminiscent of the AutoStart worm from 1998 that took advantage of a security hole in QuickTime 2.0 and used to infect Syquest and Zip cartridges.

The first fix I documented just removed the execute privilege from the Help Viewer executable. This fix is a little more elegant and only disables AppleScript in Help Viewer.

Better fix:

  • cd /System/Library/CoreServices/Help Viewer.app/Contents
  • sudo cp Info.plist Info.plist.bck
  • sudo pico -w Info.plist
  • Scroll to the bottom of the document and change the NSAppleScriptEnabled entry from true to false

There is a benign example of the exploit that you can use to test your systems.

via: macfantic in MacCentral’s comments