Existing users, 
 Don't go there GURLfriend! - 1.1Fixes the help:// exploit |
|
||||||||||||||
|
|||||||||||||||
Feedback Summary:
| This Version: | |||||
| Overall Rating: | Not rated (0.0) | Features: | Not rated (0.0) | Support: | Not rated (0.0) |
| Ease of Use: | Not rated (0.0) | Quality / Stability: | Not rated (0.0) | Price: | Not rated (0.0) |
Key to Types of Feedback:
Reviews 
Troubleshooting 
Usage Tips 
Developer Notes 
Commentary 
Featured Reviews
This is the first truly critical security flaw in OS X - Version: 1.1, 5/19/2004 10:58PM PST
MacHFC DEV
Whatever. There have been local/remote attacks allowing users to gain root access to OS X. That is far more dangerous than an applescript exploit. Apple fixed it quick enough. Get a clue, man.
Another alternative - Version: 1.1, 5/19/2004 05:02PM PST
(1 of 2 users found this comment useful)
morgancain
As posted by jhurshman on Macfixit, you can do this to edit your Info.plist inside the Help appilcation from Terminal:
sudo cp /System/Library/CoreServices/Help\ Viewer.app/Contents/Info.plist /System/Library/CoreServices/Help\ Viewer.app/Contents/Info.plist.original; checkLine=`grep -n 'NSAppleScriptEnabled' /System/Library/CoreServices/Help\ Viewer.app/Contents/Info.plist.original | awk -F : '{print $1}'`; theLine=`echo "$checkLine + 1" | bc`; sed -e "$theLine s/true/false/g" /System/Library/CoreServices/Help\ Viewer.app/Contents/Info.plist.original > ~/Info.plist.nu; sudo cp ~/Info.plist.nu /System/Library/CoreServices/Help\ Viewer.app/Contents/Info.plist
OR if you're paranoid and want to do it manually, you can walk through this recipe (again from Terminal):
sudo -s [enter password] vi /System/Library/CoreServices/Help\ Viewer.app/Contents/Info.plist type '/NSApple' to search for NSApplescriptEnabled down-arrow to next line after NSApplescript, use 'x' key to delete the word 'true' type 'i' key for insert mode, type 'false', hit 'esc' key type 'ZZ' to quit and save exit; exit Your results should look something like this in the area you edited: <key>NSApplescriptEnabled</key> <false/>And basically, what you are doing is editing the NSApplescriptEnabled key in the Info.plist file inside the Help View application to be false instead of true.
Works for me!
PS: Trying to post special characters in comment here at VT is like hammering nails with your forehead!
Does it change 'em all? - Version: 1.0, 5/19/2004 07:50AM PST
(1 of 1 users found this comment useful)
JimT3
I haven't bothered to use this program. Instead I used More Internet to change my help:// URI handler. Not a perfect solution, but a better one.
What I'm curious about is whether or not it changes all OpenApp.scpt files on the machine. The issue doesn't exist simply with the OpenApp.scpt file within the Help Viewer app - it can be exploited for any OpenApp.scpt file that exists anywhere else.
Personally, I have 245 of them on my machine. And I have tested them - they can be exploited. So if this thing only changes the Help Viewer OpenApp.scpt one, there are still 244 open security holes. If it changes all of them, then good, it's covering it better.
Of course, the program would need to be re-run every time a new application is installed to ensure that any OpenApp.scpt files in there are changed as well.
What I'm curious about is whether or not it changes all OpenApp.scpt files on the machine. The issue doesn't exist simply with the OpenApp.scpt file within the Help Viewer app - it can be exploited for any OpenApp.scpt file that exists anywhere else.
Personally, I have 245 of them on my machine. And I have tested them - they can be exploited. So if this thing only changes the Help Viewer OpenApp.scpt one, there are still 244 open security holes. If it changes all of them, then good, it's covering it better.
Of course, the program would need to be re-run every time a new application is installed to ensure that any OpenApp.scpt files in there are changed as well.
Most Recent Replies: View All 1 Replies
- Does it change 'em all?
Not a real fix 
- Version: 1.0, 5/19/2004 03:21AM PST
(2 of 3 users found this comment useful)
osax
The idea behind the fix is good, however the script keeps a copy of the "evil" Help Viewer Script called "OpnAppBACKUP.scpt".
A malicious web site could now target specifically this copy of the script and achieve the same results as before. Moreover, this copy could be left there even after an official fix by Apple, so your computer would still be vulnerably, albeit to a variant of the original attack.
Note to developers: remove the backup copy, it causes more harm than good.
A malicious web site could now target specifically this copy of the script and achieve the same results as before. Moreover, this copy could be left there even after an official fix by Apple, so your computer would still be vulnerably, albeit to a variant of the original attack.
Note to developers: remove the backup copy, it causes more harm than good.
Good patch - Version: 1.0, 5/18/2004 11:33PM PST
(0 of 2 users found this comment useful)
Ryan Rafferty
Turning off the downloads in the preference file does nothing at all, because this is a URL exploit. It can be exploited even if you just surf over to a page with a malicious help:// file.
This app is great- very easy to use, it allows you to restore your original settings, and at no charge protects you from stumbling onto a page that could compromise your computer.
It's a must have until Apple releases a fix.
This app is great- very easy to use, it allows you to restore your original settings, and at no charge protects you from stumbling onto a page that could compromise your computer.
It's a must have until Apple releases a fix.
Most Recent Replies: View All 1 Replies
it's not just safari - Version: 1.0, 5/18/2004 10:55PM PST
(0 of 2 users found this comment useful)
philberesford
I found that this issue also affects Firefox as well. It certainly scared the cr@p out of me when my Terminal sprang up and started chewing some unix stuff just from clinking on a link in Firefox.
Watch out everyone.
Watch out everyone.
Tweaking a preference helps? - Version: 1.0, 5/18/2004 08:16PM PST
(2 of 3 users found this comment useful)
clvrmnky
Wouldn't clearing the Safari preference that controls auto-open of "safe" files after downloading stop most implementations of this exploit at it's source? My understanding is that this exploit is taking advantage of the fact that the attacker knows the pathname of an executable because they gave it to you in the form of a disk image.
Most Recent Replies: View All 1 Replies
Yes, any day now... - Version: 1.0, 5/18/2004 08:10PM PST
(1 of 3 users found this comment useful)
RAMdŽd
Calm down, Apple will have an official fix for this soon enough...
Yes, since they've known about since January and were told about it via third party in February.
So "soon enough", in Stevie Time.
Yes, since they've known about since January and were told about it via third party in February.
So "soon enough", in Stevie Time.
Apple's "official fix" will be soon enough... - Version: 1.0, 5/18/2004 07:47PM PST
(2 of 2 users found this comment useful)
sjonke
... only if you don't get bitten by the exploit first. This is the first truly critical security flaw in OS X and a pretty embarrassing one at that. Apple needs to get their fix out as soon as possible. As for Don't go there GURLfriend, I don't know if it *really* fixes this exploit (there are a number of ways to exploit it - does this stop all of them?) because they haven't explained what precisely it does - they only do so in vague terms. Manually changing the "help:" helper to be something like TextEdit does fix this exploit until Apple's official fix is out. Unfortunately since Apple provides no built in way to set that, this is a non-trivial fix and one that won't be implemented by the vast majority. Perhaps this program does that very thing, but unless they tell us and/or provide source code we have no way to know.
Thanks! - Version: 1.0, 5/18/2004 07:38PM PST
(0 of 3 users found this comment useful)
Digitol3
Thanks for this wonderful FREE utility! Keep it up and the so called "ANTI VIRUS" companies will have no grounds to charge for their worthless software. Also Be on the lookout for the "not watching behind you attack" It's a exploit where; when using your computer your facing your screen and thus vulnerable to attack from people coming up behind you. This attack can bring anything from a broken head to a severe headache. There have been reports of broken keyboards as well! hah! Pleaaassse!! :O
