Final Update: The most comprehensive overview of both the problem and the solutions can be found on Daring Fireball I strongly suggest that you go there, rather than slogging through the comments below.
If you're an OS X user, it's extremely important for you to be aware of a security vulnerability that's been identified by users but not acknowledged or corrected by Apple.
(Update: The problem appears to be specific to Panther--OS X 10.3--so if you're running an earlier version of OS X you should be okay.)
(Update: Apparently the problem is not Panther-specific; most, if not all, OS X systems are vulnerable. See this comment on Jay Allen's site for details.)
You can read about it on Jay Allen's site (which is where I heard about it). Essentially, Mac browsers (including Safari, Mozilla, and Firefox) are all designed to launch the Help Viewer program when the help: protocol is invoked in a web link. Unfortunately, the Help Viewer program, in turn, is able to run scripts. What this means is that a malicious user can set up a page with an automatic redirect that runs a dangerous script. More details for the tech-minded can be found on this MacNN thread. And if you want a terrifying (but harmless) example of this, go to http://bronosky.com/pub/AppleScript.htm. It will launch Terminal and run a harmless du command--but it's scary as hell to see that Terminal window launch and files start scrolling. (There's also an advisory on the Secunia site, but it offers no helpful suggestions; just verifies the seriousness of the problem.)
If, like me, you just want to know how to fix this fast (since Apple has apparently known about this since February and hasn't fixed it, it wouldn't be wise to wait for their patch), here's the approach to use.
- Download the freeware tool MoreInternet.
- From the disk image, run "install prefpane," which will put the MoreInternet preference panel into your System Preferences panel.
- Open the MoreInternet panel, and select the help: protocol.
- Change the application it launches from the Help Viewer (which has the script-running vulnerability) to something benign.
(I used TextEdit.)I used Chess, which, unlike TextEdit, gives me a clear visual cue that a page tried to invoke the help: protocol.
- Make sure it worked by going to the scary but harmless example.
Update: In my comments, Jay Allen points out that you should repeat steps 3 and 4 for the disk: protocol, as well.