Coming of Age in Cupertino

The celebrations have been somewhat muted, but Mac OS X now has a real, live exploit. It’s not a virus or a worm but a security flaw in Help that can be exploited by a web browser. Like the recent trojan scare, the Help bug was discovered by a nice Mac user, not an evil hacker - unless someone exploits the exploit before Apple patches it, we still won’t have made a splash in the big world of PC viral malice.

Insecure.ws has an announcement about the problem, Jay Allen has a good discussion, and macosxhints [fixed link] goes into it as well.

Here’s the short form: Help will run any AppleScript you tell it to. Most, if not all, Mac browsers will pass the help: protocol to, not surprisingly, the Help Viewer. Here’s a (harmless) example: help:runscript=../../Scripts/Info Scripts/Current Date & Time.scpt.

There has to be a script somewhere for Help to run. Where would it come from? If you have Safari set up to automatically open disk images (.dmg files) it can come from there, but unfortunately there’s also a disk: protocol that Mac browsers can use to open a remote disk image. People have advised that you turn off the auto-open option and disable the disk protocol, or alternately that you chmod 000 Help or otherwise hack the misbehaving Help program.

It sounds like the best approach is to disable the help: protocol itself. That’s all I did - I didn’t bother with disk:. I hear you can use IE to change the help protocol’s behavior, but I did it by downloading and installing the MoreInternet pref panel, opening System Preferences, and changing the helper for the help protocol. I set the protocol to open TextEdit rather than Help. TextEdit will sit there and look confused when Safari passes it a help: request, but no harm is done.

If for some reason you want to undo this change - say, when Apple patches the problem, or to test the link above like I just did - you can find Help at /System/Library/CoreServices/Help Viewer.app when MoreInternet or IE asks for your new helper application. MoreInternet makes the changes live so you don’t have to reboot or close any browsers. I can’t vouch for the IE approach.

While I was mac-geeking, I also downloaded Camino 0.8 and followed this Surfin’ Safari-based macosxhint to make Safari seem to load pages faster. Here’s the short form - a Terminal command:

defaults write com.apple.Safari WebKitInitialTimedLayoutDelay 0.25

You should quit Safari to do that. I’m on dial-up, so I’m not sure it will help me much.

Comments are closed.