Help Viewer/browser security vulnerability: more info; another fix
Help Viewer/browser security vulnerability: more info; another fix
Originally posted May 19.
We previously reported a potential vulnerability in OS X relating to browsers' use of the help URL protocol. Although this was originally reported by many sources as a Safari vulnerability, it's actually exploitable through any browser that properly supports URLs that include the "help" protocol (e.g., a URL that begins with http://) -- which should be any browser that fully supports OS X's default application helper settings. In fact, through the use of meta "refresh" tags in the source of a Web page, the vulnerability can be exploited without a user even clicking on a "malicious" link.
In addition, although the original reports around the Web noted the use of Safari's ability to auto-mount disk images -- followed by a help URL that uses Help Viewer's ability to execute AppleScripts, in order to run a malicious script located on the mounted disk image -- this is only one way in which a help URL could be used to cause damage to a user's data.
An example of a variation that doesn't require that a disk image be mounted or that a malicious script be located on the user's computer is available here. The example at that URL uses JavaScript to take advantage of a help URL. NOTE: Accessing that URL will open Terminal and run a harmless example of the "du" (disk usage) command in order to demonstrate how a help URL could be used to execute a Terminal command without the user needing to download any files. Accessing the page is safe at the time of publication of this story.
We posted a "fix" on Monday that involves modifying the OpnApp.scpt script which can be used to run scripts and applications -- there is a copy of the script for each language supported by your installation of OS X -- so that it would no longer be vulnerable to this exploit. However, this fix doesn't take into account that Help Viewer can run any AppleScript directly, so it doesn't protect you from the (admittedly unlikely) scenario where a malicious user took advantage of help URLs to run other scripts located on your hard drive. For an example, click this link, which -- if you're still vulnerable to this exploit -- will run an Apple-provided script for displaying the current date and time.
An easier -- and more thorough -- solution is to simply disable/redirect the help protocol so that it is no longer handled by Help Viewer. (The side effect of this approach is that if an application uses the help URL protocol to communicate with Help Viewer, it will no longer be able to do so. However, Help Viewer will still function normally, so the inconvience should be fairly minor until Apple provides a more comprehensive fix.)
To use this method, follow these steps:
- Download and install the More Internet preference pane.
- Open System Preferences and switch to the new More Internet pane.
- In the list of protocols on the left, select help.
- Either click Remove to remove the help protocol association altogether, or (recommended) click the Change button to chose an alternate application. We suggest something obviously not applicable; a popular choice is the Chess application.
After making this change, help URLs will cause your chosen application to open instead of Help Viewer; since you've hopefully chosen an application that doesn't know what to do with help URLs, nothing will happen. (Don't choose Safari to handle help URLs, since Safari will pass those URLs off to Help Viewer.) Choosing the Chess application is recommended because it's not likely to be launched automatically by the OS or other applications, so if it does launch on its own after making this change, you'll know the reason is that a URL using the help protocol was "opened."
Resources