|
Mac OS X URI Handler Arbitrary Code Execution
|
|
Secunia Advisory:
|
SA11622
|
|
|
Release Date:
|
2004-05-17
|
|
Last Update:
|
2004-05-22
|
|
Popularity:
|
110,384 views
|
|
|
Critical:
|
Extremely critical
|
|
Impact:
|
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| OS: | Apple Macintosh OS X
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
| CVE reference: | CVE-2004-0485
CVE-2004-0486
|
|
Description:
Two vulnerabilities have been reported in Mac OS X, allowing malicious web sites to compromise a vulnerable system.
1) The problem is that the "help" URI handler allows execution of arbitrary local scripts (.scpt) via the classic directory traversal character sequence using "help:runscript".
2) It is also possible to silently place arbitrary files in a known location, including script files, on a user's system using the "disk" URI handler. Files on disk images can be executed without using the "help" URI handler.
Various variants of the URI handler vulnerabilities are currently being discussed.
This has been confirmed on Macintosh OS X using Safari 1.2.1 (v125.1) and Internet Explorer 5.2. Other browsers and applications supporting URI handlers may also be used as attack vectors.
NOTE: The rating has been upgraded to "Extremely Critical" because the issues are very easy to exploit and a large number of working exploits are available.
Solution:
Apple has issued patches:
Mac OS X 10.2.8:
http://wsidecar.apple.com/cgi-bin/nph...amp;method=sa/SecUpd2004-05-24Jag.dmg
Mac OS X 10.3.3:
http://wsidecar.apple.com/cgi-bin/nph...amp;method=sa/SecUpd2004-05-24Pan.dmg
Other mitigating actions include the following 3 steps:
1) Uncheck ("Open "safe" files after downloading").
2) Change the protocol helpers (applications) for URI handlers which are not required, especially "help".
3) Add a protocol helper (application) for "disk".
Best practices recommendations:
Do not visit untrusted web sites.
Do not surf the Internet as a privileged user.
Provided and/or discovered by:
Various persons and web sites has reported and discussed these issues.
Apple credits lixlpixel and René Puls with the discovery of these issues.
Changelog:
2004-05-18: Increased criticality and updated description and solution based on various reports about new exploits and variants.
2004-05-19: Updated solution.
2004-05-21: Updated solution and description.
2004-05-22: Updated solution: Apple has issued patches. Added links to US-CERT vulnerability notes.
Original Advisory:
http://fundisom.com/owned/warning
Other References:
US-CERT VU#210606:
http://www.kb.cert.org/vuls/id/210606
US-CERT VU#578798:
http://www.kb.cert.org/vuls/id/578798
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
