serious os x security problem

| 67 Comments | 33 TrackBacks

Final Update: The most comprehensive overview of both the problem and the solutions can be found on Daring Fireball I strongly suggest that you go there, rather than slogging through the comments below.


If you're an OS X user, it's extremely important for you to be aware of a security vulnerability that's been identified by users but not acknowledged or corrected by Apple.

(Update: The problem appears to be specific to Panther--OS X 10.3--so if you're running an earlier version of OS X you should be okay.)

(Update: Apparently the problem is not Panther-specific; most, if not all, OS X systems are vulnerable. See this comment on Jay Allen's site for details.)

You can read about it on Jay Allen's site (which is where I heard about it). Essentially, Mac browsers (including Safari, Mozilla, and Firefox) are all designed to launch the Help Viewer program when the help: protocol is invoked in a web link. Unfortunately, the Help Viewer program, in turn, is able to run scripts. What this means is that a malicious user can set up a page with an automatic redirect that runs a dangerous script. More details for the tech-minded can be found on this MacNN thread. And if you want a terrifying (but harmless) example of this, go to It will launch Terminal and run a harmless du command--but it's scary as hell to see that Terminal window launch and files start scrolling. (There's also an advisory on the Secunia site, but it offers no helpful suggestions; just verifies the seriousness of the problem.)

If, like me, you just want to know how to fix this fast (since Apple has apparently known about this since February and hasn't fixed it, it wouldn't be wise to wait for their patch), here's the approach to use.

  1. Download the freeware tool MoreInternet.
  2. From the disk image, run "install prefpane," which will put the MoreInternet preference panel into your System Preferences panel.
  3. Open the MoreInternet panel, and select the help: protocol.
  4. Change the application it launches from the Help Viewer (which has the script-running vulnerability) to something benign. (I used TextEdit.) I used Chess, which, unlike TextEdit, gives me a clear visual cue that a page tried to invoke the help: protocol.
  5. Make sure it worked by going to the scary but harmless example.

Update: In my comments, Jay Allen points out that you should repeat steps 3 and 4 for the disk: protocol, as well.

33 TrackBacks

MacOSX flaw from thomas n. burg | randg on May 18, 2004 5:23 PM

An obviously not so new flaw. Read More

If you use OS X, read this and do what Liz Lawley suggests. Jay Allen has more. (Via Dan Gillmor.)... Read More

If you have a Macintosh running OSX, you have a problem. Deal with it right now. Tonight. Seriously. IMO, the... Read More

a real Mac OS X security hole from Ted Thibodeau Jr's Weblog on May 18, 2004 10:28 PM

this one's real

follow the i

Read More

a real Mac OS X security hole from Ted Thibodeau's Weblog on May 18, 2004 10:29 PM

this one's real

follow the ins

Read More

OS X Security Hole from Perverse Access Memory on May 18, 2004 10:58 PM

This is not like the proof of concept MP3 thing, chillun. This is the real deal, a serious browser-based security... Read More

eep! an OS X exploit from cloudy, chance of sun breaks on May 19, 2004 1:17 AM

mamamusings: serious os x security problem: If you’re an OS X user, it’s extremely important for you to be aware... Read More

If you have a Macintosh running OSX, you have a problem. Deal with it right now. Tonight. Seriously. Summary and Remedy. (I'm getting this from Making Light, who's trustworthy. Go to her place and read the rest, including more links... Read More

essential Panther security fix - via boingboing... Read More

Bleck: Mac OS X vunerablity from Ascription is an anathema to any enthusiasm on May 19, 2004 8:33 AM

There is an ugly vunerablity in Mac OS X. I assume that if you avoid the internet for a day or two Apple will have a patch; but it's ugly. The gist is that if the browser visits certain places (which of course a site can trigger with popups, or redire... Read More

If enough people start pointing this flaw out, hopefully Apple will stop putting its fingers in its ears and saying 'LA LA LA LA LA LA LA', and issue some sort of fix. Read More

mamamusings: serious os x security problem. If you're running panther, read now and follow instructions (after watching scary demo if you like).... Read More

bloglines lead me to this page: mamamusings: serious os x security problem. i immediately hit up one of my mac resource guys at work to see if he'd heard about the vulnerability and sure enough, he'd written his own patch... Read More

mamamusings: serious os x security problem This is also handy since most users will never have a need for terminal and will prevent the uninitated from mucking around in the command line. Ug. People who don't appreciate bash. rrrr.... Read More

Mac OS X: Highly critical security flaw from JayAllen - The Daily Journey on May 19, 2004 11:25 AM

A new exploit allows attackers to run scripts via Safari or IE 5.x nearly all Mac OS X browsers simply... Read More

Apple OS X Security Vulnerability from Take It Back To Business Class on May 19, 2004 12:12 PM

I suggest you fix this right away! A webpage can launch help and run scripts that can do serious damage. I had trouble downloading the fix from, so I posted the file below. I hope they don't mind. Directions on how to fix it here Downloa... Read More

osx panther - security hole from marc brown - on May 19, 2004 12:22 PM

serious os x security problem read that entry and download More Internet 1.1.1 -- otherwise you could find yourself in big trouble very soon. Obviously Apple will get a fix for this out quickly, but they have been aware... Read More

Serious OS X security flaw from Communications From Elsewhere on May 19, 2004 4:31 PM

There's a pretty serious security hole in the wild for users of OS X Panther, possibly 10.2 and above. It's already been mentioned in a bunch of places, including: + mamamusings + Jay Allen + Making Light But just in case you don't read any ... Read More

I blew this off at first until I ran the little script example. "Holy Shit!" Go read: mamamusings: serious os x se... Read More

Panther Security Hole from Laughing ~ Knees on May 19, 2004 10:16 PM

For those of you using the Mac I just came across this information about a huge security hole in Panther (OS 10.3). Read about it here: Mamamusings and here Making Light. This is the referred to preference pane for making... Read More

In what is being described as a “highly critical” vulnerability, security firm Secunia on Monday issued an advisory to all Mac OS X users that surf the Web with Microsoft’s Internet Explorer or Apple’s Safari Web browsers…... Read More

In what is being described as a "highly critical" vulnerability, security firm Secunia on Monday issued an advisory to all... Read More

If you are running Panther (OS X 10.3), read and follow these instructions right now. Apple will undoubtedly release an update for this eventually, but you should protect yourself in the interim. This Wired article has more information.... Read More

If you use a Mac and run OS X, there is a security hole you need to be aware of. Apple hasn't done anything yet to fix this, but you can patch the hole yourself. (If I could do it,... Read More

As mentioned before, I seem to be bringing bad Karma to the Mac world. Today a rather serious web browser/OS X bug was exposed. Elizabeth Lane Lawley's web site has some great instructions on what to disable to make your... Read More

today i decided Apple was taking too long to issue the security patch for the well-documented Help Center security hole, so i followed the directions on mamamusings for the home-made fix (which suggested replacing the Help Center with the built-in Read More

The basics: What is a "URI handler?" So what's the problem? Okay, what do I do? Read More

Security and the power of the blog from Mike's Digital Laboratory on May 23, 2004 11:32 PM

Just last week I saw Liz in the hallway and said �Can you believe that security hole in OS X!... Read More

This entry is constantly being updated with new information as it comes in. Comments made earlier than the latest... Read More

If you use a Mac and run OS X, there is a security hole you need to be aware of. Apple hasn't done anything yet to fix this, but you can patch the hole yourself. (If I could do it,... Read More


Hey Liz, Kevin Shay left a comment in my comments pointing out that the disk: protocol should ALSO to be disabled. Without the feature-cum-flaw in Help Viewer, the disk: phenomenon doesn't have much effect, but theoretially, I suppose, an attacker could saturate your DSL line and fill up your hard drive.

The help: protocal is the big one, but I thought I would pass that on.

I found a fix in 20 seconds. Simply create a password protected dmg file of terminal and trash the uncompressed app. Help viewer will hit a wall and ask for a default app. This puts the onus back on the user to let it go any further. This is also handy since most users will never have a need for terminal and will prevent the uninitated from mucking around in the command line.

I couldn't get it to work on my install of Jag 10.2.8 - the Finder complained that "there is no default application specified to open the document 'du'." Not sure if this means it only happens on Panther or if it's just a peculiarity of my settings.

I tried Bronovsky's scripts (the du and the ls) on 10.2.8, and I got error boxes ("Choose application") both times. I'm relieved not to have to worry about it, but I wonder what's going on.

Charlie, it doesn't have to use Terminal. That's just what the proof of concepts are using right now.

The malicious party could easily induce a download of an extremely small disk image of nothing but a little Applescript and then use the help vulnerability to launch that instead.

This is while file: also needs to be whacked.

Ted, do you have terminal on your system? For some reason, Terminal isn't being launched in your case.

FWIW, du is a Unix utility that displays disk usage and is found at /usr/bin/du.

Ted and Meg, it looks as though this is a Panther-specific bug.

Charlie, I use Terminal multiple times a day as an ssh client, and also to manage files on my local webserver (which I use for testing).

I suspect that most of the people who read my blog also use Terminal to some extent, if only as a telnet/ssh client.

May be a panther thing, Jaguar won't open it. Or my firewall program may have already done its thing.

> This is while file: also needs to be whacked.

I think you mean 'disk:' not 'file:' :)

So I downloaded Moreinternet and linked the help protocol with Chess. Went to the terrifying but harmless example, and it opened up Chess. I now also have a little Speech commands icon open now, which I think has something to do with Chess.

Anyway, is there anything else I have to do?

Thanks for posting this, btw.


I use Terminal *constantly*. The frequency with which I use it calls into question the semantic distinction between "continuous" and "continual" -- proof (if any were needed) that I am a command-line retrogrouch.

But I actually quit out of it (the horror!) to see if Help would call it up. No go. My condolences to you Panthers... I guess I'm okay with being an pass� Jaguarette.

"I suspect that most of the people who read my blog also use Terminal to some extent, if only as a telnet/ssh client."

-- Thanks Liz, I felt a little indignant at being treated like a n00b at unix. ;-) I use the command line every single day on my iBook.

"I think you mean �disk:� not �file:� :)"

You're absolutely right, Chris. Thanks. :-)

I don't like installing freeware to fix a bug on my OS. What does MoreInternet do? If one is security conscious one should be able to do this using just vi or a simple editor.

Thanks for highlighting this flaw and fix.

Scary indeed.

Henry, I agree. I didn't want to install MoreInternet either. I ended up changing the help: protocol helper using Microsoft Internet Explorer, as thats the only UI for this that I can find on my system. Using IE is hardly better than MoreInternet for the users who don't already have it installed.

You might try exploring the defaults command (specifically "defaults read LSPrefsBindings") and see if you can find an easy way to change it using the shell (please post if you do!). More comments on Jay Allen's page.

Odd. I'm running 10.3.3, installed MoreInternet, and it doesn't show the Disk: protocol. I fixed Help:, but Disk: isn't there...

Do I need to add it?

Yes, CML, I would add it and point it to something pointless.

The MoreInternet application is *very* slow to download, thanks to all the folks looking to patch their systems. Anyone know of a mirror?

dce - I ran into the same problem, googled and found this, which was by degrees faster.

I also show no "Disk" listing in More Internet.

I did a search for it but returned no results; how does one then add it to the list?

(embarrassed by my lack of geekness)

No need to be embarrassed!

The MoreInternet pane gives you an "Add" button, just below the list of protocols. Click on that, and add "disk:" to the list. Then follow the same steps to assign a benign app.

Having a single set of bindings for trusted and untrusted sources is why Internet Explorer and Outlook have been security nightmares for most of the past decade.

I can understand Microsoft doing this: they have political reasons for "integrating" the desktop and the browser (they're not good reasons... trying to weasel out of an agreement with the DoJ is never a good reason). I can't understand Apple, though: there should be at least *two* unrelated sets of bindings... one to be used for applications that work with local documents and one for applications that work with untrusted documents...
and the bindings for applications that work with untrusted documents should be *absolutely* minimal.

In fact, by default and in the absence of explicit user action nothing should ever be transferred from an untrusted document to another application, or any integration of trusted and untrusted namespaces. That includes:

Helper application for URL protocols (eg help:)
Helper applications for mime types (eg video/windows-media)
Helper applications for file extensions (eg .wma, .zip)
Internet-enabled disk images and installers.

If the target application is not known to be suitable for handling untrusted data, it must not be passed untrusted data.

If an application is known to be suitable for handling untrusted data, it must not be presented with helper applications that aren't similarly trusted.

This is a really basic security principle, one that nobody I know would have imagined would be commonly violated until Microsoft not only kicked it over but refused to pick it up again. For gods' sake, folks, don't accept the same insanity from Apple, and don't let Apple get away with a one-shot patch just for this specific instance of the problem... that way lies the Outlook-exploit-of-the-week syndrome.

So, if I've used MoreInternet to change the help and disk protocal, do I still need to uncheck the "open safe files" option in Safari?

Thanks, Liz!

I feel much better now...

FYI I used the freeware app "misfox" which also allows one to modify helper apps and protocol associations. Set "help" and "disk" to "" and all is fine.

Misfox is here:

There is a mirror for the moreInternet preference pane add-on at

The latest version is 1.1.1. (I've put the link in the "posted by" link for this entry, just below.)

thanks brian....just a regular mac user here and your fix was simple and clear.

Here's an easy fix that doesn't require any shareware to be downloaded.

1) Open up your moldy copy of Explorer 5.2
2) Go to preferences->network->protocol helpers and change it to Chess.
Don't use TextEdit because it's scriptable too!
3) Quit Explorer and go back to Safari.

Wow. Thanks, Liz, and thanks, Jay.

Can anyone post _where_ exactly moreinternet makes it's
changes? I'd rather do it by hand than use moreinternet,
if only to understand what's going on better. (though for the
meantime, I have used moreinternet to make the changes)

Problem: Though I installed moreinternet as host (vice user), that only means it's available to all users, not that the settings affect all users. When I changed the helper apps, it only changed them for ME, not for the whole system. I gather this since only my .plist got a new timestamp. Now, how do I force the entire system to change it's helper apps? I don't want to have to log in as every user and change it by hand, or (worse) email them and trust them to do it.

You can disable this exploit by removing the execute permissions of Help

As root issue a chmod 744 /System/Library/CoreServices/Help\

If you need to use Help afterwards just restore the
execute privileges to the wheel or other groups as appropriate. A small
bother, you don't even have to trust a third party utility. Once Apple fixes this
you can leave the execute permissions on again. The path might be different in earlier version of OS X.


Just had an idea -- but I'm too tired (and probably don't have the skillzz) to put it into practice. Maybe somebody can pick it up and do it.

Use the security hole on your blog home page to launch terminal, list some files (the "scary but harmless" stuff), and print out an explanation linking to an informative weblog post (like this one) which tells the user how to fix the problem. Or even better (if possible?) open a browser session with the url in question.

Maybe it would encourage people to fix it?

Thanks for the help.

Do you know you were featured on The Screen Savers?

One thing to note, is that this isn't limited to web apps at all. It appears to be part of "LaunchServices".

For example, there's a commandline program called "open" which you can give a filename or a URL, and it will open it in the appropriate way. http: URLs open in your preferred browser, file: URLs open the file based on the extension or type/creator, etc.

It will also work with "disk:" and "help:" URLs.

Luckily, the MoreInternet fix works with this, too. So anything that uses LaunchServices to find out what to do with a disk: or help: URL should be prevented from wreaking havoc if you change the handling.

Came through Boing Boing... Thank you!

Back to the "disk" thing, it wasn't it my list either, and then I tried to add it, but it's still not in the list. What am I doing wrong? If you know, please mail me at shane [at] dosagedesign [dot] com

"Can anyone post where exactly moreinternet makes it���s changes?"

MoreInternet uses the InternetConfig API, which is different from LaunchServices, though they overlap. IC is part of Carbon (and in fact has been around since System 7, in one form or another).

So. To answer your question: LaunchServices has been described above, and IC's preferences are stored in ~/Library/, but you have to be a real serious hacker to modify the helper apps in that file, since it uses a binary alias record (along with some other binary info) to store its data.

If you are on the run to change the protocool helpers for "disk" and "help" you also should change the helper for "telnet".


Enter "telnet://-nMyFile" in your favorite browser. This will write an empty trace file called "MyFile" in the users homedir. If MyFile already exsists it will be overritten. My Firefox version even accepts telnet as an image source, iframe etc. Not as serious as the "help" problem, but serious enough.

Damn, you're absolutely right fukami. This would allow a malicious user to overwrite any file that the web surfing user has write permissions on.

While this definitely isn't as serious as the original problem, there are a lot of important and predictably located files in the user's home directory.

Liz, I believe that all 10.2.x systems ARE affected. See the section entitled "System applicability" on my updated post for more on that.

Another option I just heard about is Paranoid Android from Unsanity. The 'droid uses a different approach: It watches protocol links, and when it sees an unusal one (like help:), it pops an alert, giving you the relevant information and asking whether you want to run the application or not.

I tested it on 10.2.8 Server.
It opens the Help app but will not run the "du". Finder say's: There is no default application specified to open the document "du".

deeboo, that's a failure of the demo exploit, but it's a positive test for the vulnerability. The du command doesn't work on 10.2 but the fact that it was attempted means Help Viewer ran the script.

I'm running 10.2.8 and Mozilla. MoreInternet won't fix the bug (same problem as Ted's post above) and I manually changed it in IE 5.2 (see Travis Whitton's post above) but the flaw still pays off EVEN FOR IE. What the heck? Am I just stuck with this bug?

i am currently using (blindly experimenting would be more exact) freebsd and noticed that the "scary but harmless example also works here.

I downloaded and installed the MoreInternet preference panel, but it won't allow me to set the helper application to Chess, as suggested. In fact, the only apps that it allows me to choose appear to be ones that run scripts.

The test on opens up whatever application I assign to the above mentioned protocols. I think this means I'm in trouble.

Is there a list somewhere of unscriptable applications?

I installed this on my wife's iBook:
and it worked. However, it requires 10.3, the machine I'm currently using is 10.2.8

i installed MoreInternet, tried to change the helper by dragging and by clicking on change. no good. it says "there is a problem setting the app as the helper" when i try to change it to chess, calculator or preview. i tried changing it at root in terminal by running chmod 744 /System/Library/CoreServices/Help\, also no good. what the #!*&?

I was just mucking around. I think that you can negate this exploit from being able to run by setting Help's permissions to Owner System, No Access. Group Wheel, No Access and Others No Access. You would of course do this with Help Viewer closed.

After installing this I've noticed that I can no longer run Mac Help. Whenever I launch the program manually it doesn't work.

Is there a workaround for this? Also, how does one uninstall this freeware? Where exactly is the Help Viewer app located anyway? I see the Terminal address listed above but can't seem to locate it manually.

About this Entry

This page contains a single entry published on May 18, 2004 12:29 PM.

how i'm using movable type was the previous entry in this blog.

comments problem fixed is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.


Category Archives