Everyone read this, exploit!!
There is a very serious exploit, either turn your Mac OS X help viewer completely "no access" via permissions (record the settings) or remove it from your computer. Save it on cd.
Just by visiting a web site, a dmg will download in seconds and execute code.
http://www.insecure.ws/article.php?s...04051612423136
See here for proof of concept. (it's harmeless)
http://www.free-go.net/insecure/safari/0x04_test.html
Iv'e said it before and I'm saying it again, Apple you need to employ a system level check that will halt malicious or compromised websites from automatically downloading material to our computers.
You also need to employ a outgoing optional check as well, like Little Snitch does.
We love you and your no where as dangerous as Microsoft software.
But get the word out now! Thank you.
Just by visiting a web site, a dmg will download in seconds and execute code.
http://www.insecure.ws/article.php?s...04051612423136
See here for proof of concept. (it's harmeless)
http://www.free-go.net/insecure/safari/0x04_test.html
Iv'e said it before and I'm saying it again, Apple you need to employ a system level check that will halt malicious or compromised websites from automatically downloading material to our computers.
You also need to employ a outgoing optional check as well, like Little Snitch does.
We love you and your no where as dangerous as Microsoft software.
But get the word out now! Thank you.
Comments
Thanks for the pointer.
Problem is Help Viewer still runs scripts.
My choice? I say we leave and nuke the whole site from orbit.
It's the only way to make sure.
"Don't Go There GURLFriend" (whose top link leads to .dmg with before & after testing function for validation)
tested myself and it seems to fix the problem beyond what unticking safari's 'open safe after d/l" does
YMMV
On the other hand, Apple needs to spend more effort on security considerations while adding features to the product. We don't want to be degraded to the M$ scenario.
heh. Help Viewer crashed when I opened it
That means it worked, right?
But a guy on that web page says you should do it for disk: protocol as well. What's the disk: protocol? There's nothing called that in the Moire Prefs pane.
Or exploiting a flaw in Mail or anything else to get Help Viewer to run scripts?
Somebody already has reported they got a gif in a email and Help Viewer opened and wiped their home directory.
already on TechTv I saw a graphic of the Apple apple riddled with holes like swiss cheese.
bummer.
Repair permissions and apply.
1) How many exploits are found and the severity of them
2) How fast Apple plugs these exploits
3) How much safer the OS is after the security patch.
Mac OS X is software. Software has holes in it. Apple will fill them up.
I feel so much safer on Mac OS X than I ever did on Windows.
Mike