Help Viewer/browser security vulnerability (#3): Terminal fix; Opera immune
Help Viewer/browser security vulnerability (#3): Terminal fix; Opera immune
Continuing our coverage of a potential vulnerability in OS X relating to browsers' use of the help URL protocol (exploitable through any browser that properly supports URLs that include the "help" protocol), there is a new fix that can be applied via the Terminal that does not require disabling/redirecting the Help protocol (as our previous fix entailed) as well as word that the Web browser Opera is immune to the vulnerability.
Terminal-disabled automatic launching This command changes the internal .plist for Help Viewer so that the preference for automatically launching scripts is now "no". Note that you should also disables Safari's "auto open safe files" preference (in the "General" pane of Safari's preferences).
The Terminal command is (one line, spaces after "sudo" "defaults" "write" "" "Info" "Enabled" and "-bool"):
sudo defaults write '/System/Library/CoreServices/Help Viewer.app/Contents/Info' NSAppleScriptEnabled -bool 'no'
[NOTE: A quirk in our publishing system causes the escape character "" (which should be between 'Help' and 'Viewer.app' to be omitted from the above Terminal command when appearing on the main MacFixIt page, causing Terminal to return the error "Unexpected argument -bool; leaving defaults unchanged" when entered. We've changed the command to quote the filename path instead of using the escape character, so it should work properly now.]
Opera immune Several readers have noted that they cannot reproduce produce the exploit browsing with Opera, because it does not support the "help:" protocol, as noted on the opera.mac news-group:
One reader wrote " I tried the demo page http://bronosky.com/pub/AppleScript.htm> with Opera and only got an error message 'The address type is unknown or unsupported.' So far so good?"
Opera developer Rijk van Geijtenbeek" subsequently responded: "Yes :) MacOpera doesn't support the Mac 'help:' scheme. It might be possible to enable it (if you dare) from 'Preferences > Programs and paths'. There is a reason why Opera (on any platform) doesn't enable by deafult passing random strings to the operating system for any registered scheme like 'irc:' or 'rtsp:' or 'edk:' or 'mms:' etc."
Resources