kronas
17-05-2004, 22:42
lixlpixel has reported a vulnerability in Mac OS X, potentially allowing malicious web sites to compromise a vulnerable system.
The problem is that the "help" URI handler allows execution of arbitrary local scripts (.scpt) via the classic directory traversal character sequence using "help:runscript".
It is reportedly possible to place arbitrary files in a known location, including script files, on a user's system if the Safari browser has been configured to ("Open "safe" files after download") (default behaviour) by asking a user to download a ".dmg" (disk image) file.
This has been confirmed on Macintosh OS X using Safari 1.2.1 (v125.1) and Internet Explorer 5.2.
Solution:
Uncheck ("Open "safe" files after download") in "Safari -> Preferences -> General".
Do not surf the Internet as a privileged user.
Rename the help URI handler.
source: secunia.com
http://secunia.com/advisories/11622/
The problem is that the "help" URI handler allows execution of arbitrary local scripts (.scpt) via the classic directory traversal character sequence using "help:runscript".
It is reportedly possible to place arbitrary files in a known location, including script files, on a user's system if the Safari browser has been configured to ("Open "safe" files after download") (default behaviour) by asking a user to download a ".dmg" (disk image) file.
This has been confirmed on Macintosh OS X using Safari 1.2.1 (v125.1) and Internet Explorer 5.2.
Solution:
Uncheck ("Open "safe" files after download") in "Safari -> Preferences -> General".
Do not surf the Internet as a privileged user.
Rename the help URI handler.
source: secunia.com
http://secunia.com/advisories/11622/