WARNING: HUGE Vulnerability in OS X Web Browsers! (and fix)

[WiseWeasel]

There's a huge security vulnerability in MacOS X for all web browsers. There's a non-malicious example of the seriousness of the problem here:
http://bronosky.com/pub/AppleScript.htm
That just runs a harmless script (/usr/bin/du; exit) which scrolls a bunch of text and looks scary, but it could easily have been a script to wipe your home directory, and you could have had some serious data loss.

[Edit] See the post about using MisFox below for a better way to fix the problem. [/Edit] DO THIS NOW!!!!!

[deadsierra]

just to clarify, its /Library/Documentation/Help you want to modify. And yes, you want to do it. Unless you hate yourself or something.

[WiseWeasel]

Oh, and it only breaks the general MacOS help. Application help will still work fine. BTW, you might need to rename the folder back to "Help" once you want to apply the patch Apple will release to fix this problem.

[galactica]

JEEZE!!!!!!!!!!!!!!!!!!!!!

When is apple going to announce the security update? Tiger?!?

[The village idiot]

Aren't you all glad Macs are making it into greater population :P Attack of the script kiddies

[WiseWeasel]

If it means serious vulnerabilities like this get discovered faster, then yes, I am. I just feel fortunate to have found out about this before getting all my (user-owned) data wiped.

[Geriatric]

HELP is still available. Unless I'm missing something here all you do after you rename the HELP folder to get MacHelp is click on help in the finder. Help launches but nothing happens. Go to Open under the File menu and navigate to Library/Documents/NEWNAME/MacHelp. When you open MacHelp you will have the normal system help, but none of us experts ever needs that -- do we?

Geriatric

[galactica]

Note.
I booted up into 10.2.8 and the problem doesnt exist [didnt change the folder name before hand] all it does it open up the OS Help.

must be a 10.33x thing

[tgpo]

Note.
I booted up into 10.2.8 and the problem doesnt exist [didnt change the folder name before hand] all it does it open up the OS Help.

must be a 10.33x thing

Nope

At work on my G5 running 10.2.8 it worked exactly as it said it would.

I simply told Safari not to open "Safe" files

[WiseWeasel]

Actually, there's a better fix than the one I listed above. You can get the MisFox freeware app for OSX, which is like a missing internet config for MacOS X. You can get MisFox here:
http://www.clauss-net.de/misfox/misfox.html
Once you launch MisFox, go to the rightmost tab (Protocol Helpers), and change the 'help' helper application to something else, like TextEdit or something. This will prevent web apps from accessing the Help Viewer app, and causing this damage.

[Ladd]

This will prevent web apps from accessing the Help Viewer app, and causing this damage.

If this fix is utilized, how does one access the help files when desired?

[thoughton]

WW only got modded +2 on /. neenerneener

[WiseWeasel]

Check again, I got +4 and +3, both informative . . . take that!!!

[WiseWeasel]

If this fix is utilized, how does one access the help files when desired?

Actually, the fix with MisFox only prevents web browsers and email clients from accessing the Help Viewer through html code. It does not affect all your apps' ability to access the help viewer through the regular help menu, and everything continues to function properly. This is much better than my first solution of renaming the /library/documentation/help folder, which breaks the MacOS Help, and might prevent Apple from applying an eventual patch for this (should they ever decide to get off their asses and patch this enormous security hole...

[Ladd]

Actually, the fix with MisFox only prevents web browsers and email clients from accessing the Help Viewer through html code. It does not affect all your apps' ability to access the help viewer through the regular help menu, and everything continues to function properly.

Thanks for the clarification. Misfox downloaded and preference changed.

[motherwell]

ALL I WANT TO KNOW IS: WHERE IS THE *$#@*!^ FIX FROM APPLE?

[dnix71]

Thanks for the tip. I heard of the hole on my isp's computer help section, but they're all pc types so it wasn't explained. Apple needs to get off their butt. ITunes will run bad script, too. It doesn't check to see if an mp3 really is an mp3 before it opens the file.

[WiseWeasel]

iTunes will not run a script. If you name a script .mp3, it might try to open it, but nothing will happen. If it's one of those trick mp3s that has executable data hidden in the ID3 section of the mp3 file, iTunes will just play the music data. The executable code is only run if you double-click on them. As such, iTunes is not exploitable as a security hole, even if you can launch it as an internet helper app. That is not even close to being a security hole like this Help Viewer issue.

[Huntn]

If this fix is utilized, how does one access the help files when desired?

Actually, the fix with MisFox only prevents web browsers and email clients from accessing the Help Viewer through html code. It does not affect all your apps' ability to access the help viewer through the regular help menu, and everything continues to function properly. This is much better than my first solution of renaming the /library/documentation/help folder, which breaks the MacOS Help, and might prevent Apple from applying an eventual patch for this (should they ever decide to get off their asses and patch this enormous security hole...

Using this fix, I assume Help which some programs use to go to a web site for application help files will no longer work?

Regarding text edit, how do you navigate through help? Or does it call up one long page of text?
-Dave

[WiseWeasel]

No, Help Viewer can still access websites, and all of the application-specific and general MacOS help functions will work as expected. You pretty much will never encounter any strange behavior in the help system if you use the MisFox tip I posted. The only thing it will prevent is websites from launching the Help Viewer from your web browser, which is never used, and allows the execution of scripts without your intervention. TextEdit will never actually be activated by the help system. It will just launch (and do nothing) when websites or malicious disk images try to execute code without your consent, instead of launching Help Viewer, which can run scripts automatically.

[ykz]

unsanity has posted a fix too until apple releases a fix

http://www.unsanity.com/haxies/pa/

[Jerry]

Thanks for the information.

Jerry

[dnix71]

I did the misfox fix and clicked on the link and it opened text edit and showed the web page, but nothing scrolled or bad happened. Thanks!

[Ladd]

I have read many articles and blog postings on this current OS X security issue and I wish to point out to interested readers what I consider the best non-technical explanation of this security issue.

This explanation can be found in the Thursday, May 20th Daring Fireball blog entry entitled Disabling Unsafe URI Handlers With RCDefaultApp. The posting also contains instructions for a work-around that are easy to perform, plus being a more complete solution than that offered by "misfox".

This blog posting explains why misfox is good but how RCDefaultApp is better; among other things it allow you to close the "disk" and "disks" handler routines that misfox can't.

Additionally with RCDefaultApp, when you close or reassign the "help", "disk" and "disks" handlers, it maintains a llist of what was used previously to make it easier to return the handler to its original state prior to installing whatever solution Apple provides someday.

Note: RCDefaultApp is installed as a preference pane, so it involves one step that is not needed by misfox which is an application.

My appreciation to the folks who described the misfox solution a few days ago; I implemented it immediately upon reading the tip. Allow me to return the favor by pointing readers to a solution that is almost as easy and appears to offer more protection.

[WiseWeasel]

I have no problem with mounting disk images, as long as they can't go and execute code on their own. I like the convenience of images being mounted automatically, and know better than to execute code from an untrusted source. Therefore, the help protocol hole is the only one I'm worried about.

[turdburglar]

Thanks for the advice, can these solutions be reversed if apple provide a security update?

[WiseWeasel]

It will automatically make another empty folder called "Help" when you rename the one that's there, but you can easily trash the new empty one, and rename the old one back to "Help" before applying Apple's eventual patch for this. Renaming the "Help" folder isn't the best method for closing this security hole. It's much better to just use the MisFox method, or the one posted by Ladd.

[Geriatric]

One reason why WW is right that renaming help isn't the best answer is that on my system when I rename help, the next time I start-up there is a new empty help folder in there that appears to be automatically created by the system. Does this happen to everyone else?

Geriatric

[WiseWeasel]

Yes, it does that for me, and for several people I've talked to (in 10.3.3). That's definitely not the best way to fix the problem. It does still fix it, but it's not ideal, and might interfere with Apple's eventual patch for this.

[turdburglar]

Excuse my ignorance, I have read all this stuff and understood a 1/4 of it and that something bad could happen, now I am worried and dont understand what to do?? I got as far as downloading RCDefault app it says open this, copy that, blah blah I dont know if I am doing the right thing or not so I left it, now I am really worried, and F@#K apple for their inaction on this problem can any body help me with an idiots guide to install the rcdefault app, please