Apple released a cumulative security update on May 3, 2005. This update fixes a number of remote and local vulnerabilities that may be exploited to completely compromise a system running Mac OS. The critical vulnerabilities that can be remotely exploited, and have been fixed are: (a) The "x-man-page://" URL is designed for man page look-ups, and is handled by the terminal program. Mac OS does not properly sanitize the URL; Hence, it is possible to inject certain characters in the URL and execute arbitrary commands on a user's system. A proof-of-concept exploit has been publicly posted. [...]
|This could have been fixed last June|
In a previous note I talked about the security problems that would continue to flow from providing only one set of helper applications to choose from, instead of providing separate sets for programs to use when handling URLs that could only have come from the user and URLs that may be injected by an attacker attempting to get local access.
This is one of them. If Apple had really fixed LaunchServices last June, they would have eliminated this whole class of attack. Instead, every helper application that has registered a URI with LaunchServices is a potential exploit, whether Apple provided it or not.
|Lynx-enhanced by <peter at taronga.com> (Peter da Silva)|