Woo-hoo, it's like we Mac users have been in Security Issue Heaven recently, isn't it? After years and years of watching forlornly as Windows users had all the fun, Macfolk are finally starting to see a little action these days. First there was that questionable but clever little demo Trojan whereby arbitrary executable code was embedded in the ID3 tags of an MP3 file. Then there was this fake Word 2004 installer floating around, which was just a "delete everything we can" script with a custom icon pasted on top-- not exactly a security hole, since any system that lets you delete any files would be susceptible to that sort of thing, but still, it was a real piece of Mac OS X malware found in the wild.

And now there's this new hole in Mac OS X that apparently lets the bad guys exploit Help Viewer to run code on your system just by getting you to click a single link on a web site they set up. Faithful viewer Bernd Schnitker was the first to inform us that, as detailed by the security web site Secunia, "the 'help' URI handler allows execution of arbitrary local scripts (.scpt) via the classic directory traversal character sequence using 'help:runscript.'" In other words, Help Viewer is allowed to run AppleScripts and the like, provided they're somewhere on your system, and will do so if instructed to via a web link to "help:runscript=..." which specifies where the script resides. The upshot is that some clever folks could slap together a web page that automatically sends you a .dmg disk image (which, with default settings, Safari etc. will automatically mount), waits a little while, and then redirects your browser to the help:runscript URI pointing to the script included on the mounted disk image.

Don't believe it could work? Well, the site insecure.ws not only has a description of the problem, but also put together a proof-of-concept web page that exploits the hole. Click here to see it in action; while it won't actually harm your system, it'll prove that it could if it wanted to; if you haven't messed with any relevant default Safari settings, you'll see a disk image mount on the Desktop, Help Viewer launch, and Terminal spawn a new window informing you that you've been compromised. Don't forget to toss that scary "owned.txt" file that the script slapped into your home directory just to make you sleep a little less soundly at night. (We don't sleep anyway, so we're thinking of keeping it around. It classes up the joint a little.)

For what it's worth, if you want to protect yourself from this sort of thing happening until Apple issues another Security Update, it's not too difficult; you can either tell Safari (or whatever browser you use) not to mount downloaded disk images (uncheck "Open 'safe' files after downloading" in the General Preferences), or better yet, use something like the More Internet preference pane to rename the help URI handler. Geez, three security issues of varying degrees of ickiness in the space of less than six weeks; multiply that by ten, and we'll almost be where Windows is! Enterprise sales, here we come!