OS X Help System Can Run Attacker's Scripts Summary:
Posts to security mailing lists today described flaws in OS X's Web browser help facility. When encountering links that begin with "help:", OS X systems activate a special protocol-helper to interpret and present online help pages. A flaw in this Help Viewer means an attacker could execute code on your OS X machines after enticing your users to a malicious Web page. Administrators using OS X systems in their network should implement the workarounds found in the Solution section of this alert until a patch is available. Exposure:
In posts to security mailing-lists, a security researcher calling himself lixlpixel described a flaw in how OS X Web browsers deal with links that begin with "help:". When encountering such links, your Web browser checks its "protocol-helper" settings to see which application it should use to open the link. By default, both Safari and Internet Explorer use the Help Viewer application. This help application includes a special function called "runscript" that allows script execution. By enticing your OS X users to a specially-crafted Web page, a hacker can exploit this issue to run his scripts on your computer. Lixlpixel also described an insecure default setting in Safari and Internet Explorer. Both Web browsers categorize some types of Web content as "safe" (for example, text files, and pictures). Their default setting opens "safe" files automatically after your users have downloaded them. One of the file types categorized as "safe" is a disk image (.dmg). An attacker can intentionally mislabel his attack code as a .dmg file, knowing that if your user downloads it, it will then run automatically (because of the "runscript" flaw above) in a known location on the Mac computer. Thus, if your user clicks a link and initiates the download, the attack code could run without any further user interaction. Note: these vulnerabilities work with both Internet Explorer and Safari. That's because both browsers employ the same insecure default settings and the use of the Help Viewer as the protocol-helper associated with "help:" links. Lately, many Apple OS X security flaws have surfaced. Besides this new Help Viewer flaw, plus the four flaws corrected by Apple's recent security patch, an OS X Trojan was recently discovered spreading on P2P networks such as Limewire. If run, this Trojan, disguised as a free Word 2004 demo, would delete your Home folder. The point is, no operating system is invulnerable to security flaws. Apple users should increase their vigilance, as Mac attacks have become more prevalent since the release of OS X. Solution Path:
There is no patch for this flaw yet. Currently, the only suggested fix is to associate the "help:" link with some application other than the Help Viewer. This ensures that malicious pages trying to exploit this help system flaw are unable to access the vulnerable application. On the other hand, disabling access to Help Viewer also means users who rely on online help will not be able to reach it in most cases. You're the lucky person who gets to decide whether to tighten security while inconveniencing some users, or keep users happy while running a greater security risk. If you have many OS X machines on your network, consider trying these workarounds on one machine so you can determine whether the changes cut off important resources. If you decide in favor of security, there are two ways to change your protocol-helper settings... Using Internet Explorer - Run Internet Explorer and click "Explorer => Preferences => Network (found in the left column) => Protocol Helpers." Find and highlight the "help" protocol and click "Change". Press the "Choose Helper" button and then pick any application, other than Help Viewer. Other applications will not actually interpret help pages; the point is to prevent the attacker from accessing the flawed Help Viewer function (for example, one researcher picked a harmless chess program as the application). Using MoreInternet - OS X doesn't ship with any default application that you can use to change your protocol helpers. However, you can download the free utility MoreInternet, to perform the same function as the "protocol helpers" pane in Microsoft's Internet Explorer's Preferences. Once you've downloaded and installed this utility, run it and follow the instructions to associate "help:" with any application other than Help Viewer.
Remember, these changes will prevent "help:" links from functioning properly, and whatever application you assign as the helper will run whenever a user encounters such links. Also, you'll need to make the change on each OS X machine in your network. Copyright © 2004 | 
