Safari vulnerability

pb · May 17, 2004 1:27AM

Just found this proof of concept for a Safari vulnerability. It says it can execute code remotely.

Quote:

A new vulnerability has been discovered Using the runscript function of the MacOSX's Help.app application, which is callable from Safari, we can execute code remotely.

This proof of concept is simply a real life example of the vulnerability. It will not damage or really compromise your computer: the source script is included with the code which will be executed.

Since I am not right now on a Mac, can anyone try it and tell us what happens? The severity of the exploit is considered high. Is this true?

pb · May 17, 2004 3:27AM

Never mind, the vulnerability is being discussed at macnn, and it seems to be pretty big. Microsoft grade I would say

!

costique · May 17, 2004 4:42AM

OMFG! I didn't even know that WebKit supports launching AppleScripts. It simply must be removed. Nay, web browsers must not be able to execute or launch anything by definition. Really scary.

opuscroakus · May 21, 2004 6:25PM

Looks like Apple issued a fix. http://maccentral.macworld.com/news/.../21/safarifix/

macsrgood4u · May 21, 2004 6:38PM

Check Software Update for the download.

stoo · May 21, 2004 7:00PM

Was that about a week from annoucement to fix? Not too shabby Apple, except for the Software Update timeouts. I guess that the world and their dog are downloading it.

aquatic · May 21, 2004 7:38PM

Quote:

OMFG! I didn't even know that WebKit supports launching AppleScripts. It simply must be removed. Nay, web browsers must not be able to execute or launch anything by definition. Really scary.

|

Are you being serious? I think this is a great convenience. And it isn't really a vulnerability, I mean computers do what you tell them. In Prefs it asks if you want to let Safari "process safe downloads." That's what this whole issue is right? Well if you don't want Safari to do this, just uncheck that. What's so bad about that?

Safari vulnerability

Comments