|
Mac OS X URI Handler Arbitrary Code Execution
|
|
|
|
|
Secunia Advisory:
|
SA11622
|
|
|
Release Date:
|
2004-05-17
|
|
Last Update:
|
2004-05-22
|
|
|
Critical:
|
Extremely critical
|
|
Impact:
|
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| OS: | Apple Macintosh OS X
|
|
| | CVE reference: | CVE-2004-0485 (Secunia mirror)
CVE-2004-0486 (Secunia mirror)
|
|
|
Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS! |
|
|
Description:
Two vulnerabilities have been reported in Mac OS X, allowing malicious web sites to compromise a vulnerable system.
1) The problem is that the "help" URI handler allows execution of arbitrary local scripts (.scpt) via the classic directory traversal character sequence using "help:runscript".
2) It is also possible to silently place arbitrary files in a known location, including script files, on a user's system using the "disk" URI handler. Files on disk images can be executed without using the "help" URI handler.
Various variants of the URI handler vulnerabilities are currently being discussed.
This has been confirmed on Macintosh OS X using Safari 1.2.1 (v125.1) and Internet Explorer 5.2. Other browsers and applications supporting URI handlers may also be used as attack vectors.
NOTE: The rating has been upgraded to "Extremely Critical" because the issues are very easy to exploit and a large number of working exploits are available.
Solution:
Apple has issued patches:
Mac OS X 10.2.8:
http://wsidecar.apple.com/cgi-bin/nph...amp;method=sa/SecUpd2004-05-24Jag.dmg
Mac OS X 10.3.3:
http://wsidecar.apple.com/cgi-bin/nph...amp;method=sa/SecUpd2004-05-24Pan.dmg
Other mitigating actions include the following 3 steps:
1) Uncheck ("Open "safe" files after downloading").
2) Change the protocol helpers (applications) for URI handlers which are not required, especially "help".
3) Add a protocol helper (application) for "disk".
Best practices recommendations:
Do not visit untrusted web sites.
Do not surf the Internet as a privileged user.
Provided and/or discovered by:
Various persons and web sites has reported and discussed these issues.
Apple credits lixlpixel and René Puls with the discovery of these issues.
Changelog:
2004-05-18: Increased criticality and updated description and solution based on various reports about new exploits and variants.
2004-05-19: Updated solution.
2004-05-21: Updated solution and description.
2004-05-22: Updated solution: Apple has issued patches. Added links to US-CERT vulnerability notes.
Original Advisory:
http://fundisom.com/owned/warning
Other References:
US-CERT VU#210606:
http://www.kb.cert.org/vuls/id/210606
US-CERT VU#578798:
http://www.kb.cert.org/vuls/id/578798
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
126 Related Secunia Security Advisories, displaying 10
|
|
|
1. Mozilla Firefox 3 on Mac OS X GIF File Handling Code Execution
|
|
2. Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
|
|
3. Apple Mac OS X ARDAgent Privilege Escalation Vulnerability
|
|
4. Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
|
|
5. Apple iCal Memory Corruption Vulnerability
|
|
6. Mac OS X Security Update Fixes Multiple Vulnerabilities
|
|
7. Apple Mac OS X "ipcomp6_input()" Denial of Service
|
|
8. Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
|
|
9. Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
|
|
10. Mac OS X Java Multiple Vulnerabilities
|
Show all related advisories
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
