OSX 10.3 [Panther] service announcement

May. 19th, 2004 01:25 am
jazzfish: an open bottle of ether, and George conked out (Ether George)
[personal profile] jazzfish
Doubtless those of you to whom this applies have seen it already, but just in case you haven't, there's a security hole in Panther that wants patching.

"It is possible to write a URL that, when invoked from one’s default browser, invokes Apple’s Help program, which is itself a mini-browser which uses a subset of HTML. The trouble is that unlike a well-written, full-fledged, OSX browser, the Help program is (a.) fully scriptable; and (b.) fully capable of running any application or command for which the user has privileges."
  • Current Mood: tired
Flat | Top-Level Comments Only

Date: 2004-05-18 10:39 pm (UTC)
From: [identity profile] skreidle.livejournal.com
Well, nothing was posted about it in [livejournal.com profile] macosx, so I passed it on. Eep!

Date: 2004-05-19 04:58 am (UTC)
From: [identity profile] mikailborg.livejournal.com
Until Apple patches this, Safari users can protect themselves with a menu selection and two clicks.

With Safari open and the foremost application, select "Preferences" from the "Safari" menu. Click the "General" icon, and make sure "Open 'safe' files after downloading" is unchecked. Boom, vulnerability gone.

Date: 2004-05-19 11:04 am (UTC)
jazzfish: Jazz Fish: beret, sunglasses, saxophone (Default)
From: [personal profile] jazzfish
You sure? [livejournal.com profile] cwolf disagrees. ["Some of the early primitive examples of this exploit depended on Safari's auto-open behavior and could be foiled by turning it off, but in the general case the exploit does not require Safari to auto-open anything and there are working non-malicious examples of the exploit out there which clearly still function even with Safari auto-open disabled. Also, this is not a Safari problem but a system-wide issue with the handling of help. . . ."]

Well, I was...

Date: 2004-05-19 11:42 am (UTC)
From: [identity profile] mikailborg.livejournal.com
I was sure until this morning, when I read new information similar to what cwolf said.

So I just downloaded the More Internet freeware control panel from versiontracker.com, and set the handler for "help" documents to my Chess program. Not a perfect solution, but it'll keep me safe until the hole is patched.

Date: 2004-05-19 07:40 am (UTC)
From: (Anonymous)
Between this and the recent trojans it's encouraging to see that Macs have developed enough of a presence to warrant such attacks.

Jonathan

Date: 2004-05-19 11:43 am (UTC)
From: [identity profile] mikailborg.livejournal.com
Yeah, quite the backhanded compliment, eh?

Date: 2004-05-19 12:04 pm (UTC)
From: [identity profile] laughin.livejournal.com
I am sure it will get fixed when the next wildlife feline version somes out. ;)
Flat | Top-Level Comments Only

Profile

jazzfish: Jazz Fish: beret, sunglasses, saxophone (Default)
Tucker McKinnon
Words are inadequate

Most Popular Tags

Adventures in Mamboland

"Jazz Fish, a saxophone playing wanderer, finds himself in Mamboland at a critical phase in his life." --Howie Green, on his book Jazz Fish Zen

Yeah. That sounds about right.

Expand Cut Tags

No cut tags