Here's a demo of another security leak under Safari,which will allow to execute almost any action on a surfer's machine. You may d/l it here: http://www.insecure.ws/article.php?story=2004051612423136 Nothing dangereoux with it, all the stuff is in the .dmg, and what it will do is explained (will write a text which will open via textedit) It's up to you to publish it or not, as the demo is quite impressive, which may scare some. The leak was made public very recently, or else I wouldn't have revealed it before the fix from Apple has arrived (as I usually do) It is of course possible to deactivate the automatic opening of files via Safari, or for instance to change the "help" tags handler to something else than Help.app from InternetConfig2 (there are freewares on versiontracker to do that under MacOSX) |
The leak was made public on 05/10/04. Apple was informed on 02/23/04. No patch was released ever since.
No need to panic, or even to launch the demo. Yet Apple shall solve this issue before anyone would use it.
If you wish to fix it yourself, Kang explains us how to do it:
http://www.monkeyfood.com/software/moreInternet/This is a prefpane, just change help to anything, Why not an applescript with a display alert "Caution, call for help detected" |
You may use this solution until this leak is fixed.
