A potentially serious security flaw has been identified in Mac OS X. The attack exploits a vulnerability in the Help Viewer application, and allows local scripts to be run just by visiting a web address, by using the
help: protocol handler. The situation is made worse by the possibility of unwittingly downloading a disk image (.dmg) loaded with malicious content, which can then be executed using the Help Viewer vulnerability. This could allow a determined attacker to wreak havoc on a users home directory.
To test if your system is vulnerable to this attack, open this benign example of the exploit in a new window. It will open the Help Viewer application, and in turn run a harmless but scary looking Terminal script.
As far as I know, this exploit has not caused any damage to anyone, and it is simple to secure your system against attack. There are several ways to do this, many involving changing the application that handles the
help: protocol. However, this approach means that no help files can be accessed. I found the following tip effective against the example exploits:
Rename to folder at
/Library/Documentation/Help to something like
To prevent a browser from helpfully recreating the Help folder, create a blank symbolic link in the Terminal:
ln -s /dev/null /Library/Documentation/Help
This will mean that the system help files will not be accessible via Help Viewer, but application help files should still work fine. When Apple release a fix (expect one soon) then remember to delete the link and rename the Help folder back to its original name.
OS X has a very good security record so far, and this an unexpected lapse. But as many commentators have said, it would have been nice if Apple had been more upfront about this exploit, and they need to shake a leg and get this flaw patched ASAP.