eWeek is carrying a report on a patch released by Apple to plug a security hole in OSX.
The issue revolves around two URI handlers, "help" and "disk." The first allows any AppleScript on the user's machine to be run, while the second allows users to mount a disk image automatically over a network. In theory, this allows malicious users to create a Web page that will either download a small disk image onto a Mac or mount it remotely, then execute an AppleScript on the mounted image, which could contain any Unix command— including ones to remove any file in the user's Home directory. The flaw works with any browser, including Safari, Internet Explorer, and Firefox.
Apparently reported to Apple in February, the security patch has taken 3 months to reach the end user. Sound familiar?
- Log in to post comments