If you have a Macintosh running OSX, you have a problem. Deal with it right now. Tonight. Seriously.
A completely terrifying demo of the hole. Click on it and watch how the “help:” protocol can be used to (for instance) fire up your Terminal program and run “du”. As the demo says, it could just as easily have run “rm -rf”.
(Mom, “rm -rf” means “Wipe everything on my hard drive.” If Matt’s got OSX running on your computer, you need to take care of this.)
Here’s where to get the fix—but read the other stuff first.
Here’s how Patrick explained it to me:
It is possible to write a URL that, when invoked from one’s default browser, invokes Apple’s Help program, which is itself a mini-browser which uses a subset of HTML. The trouble is that unlike a well-written, full-fledged, OSX browser, the Help program is (a.) fully scriptable; and (b.) fully capable of running any application or command for which the user has privileges.
This is where “rm -rf” and other nightmares come in. Terminal is a very powerful program. For instance, instead of wiping your hard drive, a malfeasant could have Terminal send all the data on your hard drive to the destination of his choice.
When you click on the URL for the demo, it launches the Help program, which in turn launches Terminal on your own machine—and then, without any intervention from you, runs “du”. This is harmless, but has the quite terrifying property of scrolling through a complete list of the files on your computer. At that moment, you realize that you’re the data loss equivalent of a spider held above a fire by someone’s cupped hands.
The solution is to break the link that allows the “help:” protocol to launch the Help program. Read the links, download the software, and do what it says. It’s fast and easy. Once you’ve done it, anyone who tries to get at you via the “help:” protocol security hole will wind up launching the chess game, which at worst will beat you at chess.