Secunia issues ‘extremely critical’ vulnerability alert for Mac OS X

A vulnerability has been reported in Mac OS X, allowing malicious web sites to compromise a vulnerable system, Secunia reports. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.

The problem is that code silently delivered using variants of the “disk” URI handler vulnerability described in SA11622, can be executed without using the “help” URI handler.

Two methods have been discussed, allowing malicious websites to execute code from mounted disk images:

1) A disk image or a volume (e.g. AFS, SMB, FTP, or DAV) can register arbitrary URI handlers, which will execute code placed on the disk image when accessing the URI.

2) A disk image or a volume can change an unused URI handler (e.g. TN3270) to execute code placed on the disk image when accessing the URI.

This problem is escalated due to the fact that it by default is possible to silently download and mount disk images using two known methods (silent download and execution of “safe” files and the “disk” URI). Furthermore, it is reportedly also possible to mount volumes using other methods such as SMB, AFS, FTP, DAV and others.

This vulnerability has been confirmed on a fully patched Mac OS X system (including the patch “Security Update 2004-05-24 for Mac OS X” released by Apple, which fixes the “help” URI handler vulnerability).

Reportedly, working exploits using “ftp” exists, also “afp” seems to be a likely vector.

Attack vectors include browsers and programs supporting Mac OS X URI handling.

Apple has not yet released patches for these issues.

The following two steps prevent malicious web sites from placing code on a vulnerable system, using the two known methods (silent download and execution of “safe” files and the “disk” URI). However, it does not prevent execution of code from already mounted images:

1) Uncheck (“Open “safe” files after downloading”).
2) Add a protocol helper (application) for “disk” and “disks”.

To prevent other methods of mounting volumes, it is necessary to change the protocol helper for all unnecessary protocols (URI handlers), this should include at least “ftp” and “afp”, but also “cifs”, “file” “ftps”, “nfs”, “smb” and “ssh” are recommended.

More info here.

Related MacDailyNews article:
Unsanity updates free utility to fix latest Mac OS X ‘URL Schemes’ vulnerability – May 24, 2004


  1. (Copied this post in from another thread. Don’t worry, “they” aren’t making changes if you feel you’ve seen it before.)

    Looks like the Help Viewer thing is just a symptom of a bigger problem. discusses the problem here and suggests using Paranoid Android to provide a temporary fix.

  2. Question:

    OK, so we uncheck “open safe files after downloading”. Then we download that nasty .dmg that has this theoretical malacious code. THEN we MANUALLY open the .dmg file…. what then? Does the code execute, or not?

  3. When I try to use RCDefaultApp to disable the unsafe URI handlers, I see “disk” and “telnet” but not “disks”. Anybody know why? Is “disks” a Panther only URI? (I’m still on Jaguar)

  4. Where are the glib MDN comments, stating how this particular hack is propaganda by the Microsoft crowd? C’mon, guys, own up when something actually looks bad for Apple.

  5. We are so used to having things super secure in OS X that even having a hole like this (not even a malicious exploit, just a hole) makes us feel very threatened. For people on Windows this is situation is a given. God, it must suck to be them….. Anyway, here is a quote from another site that seemed to sum it up pretty well.

    “Re: Recent Security Update Is Useless – Two More Exploits (Score: 0)
    by Anonymous on May 24, 2004 – 03:21 PM

    “What’s Going On, Apple?

    What we’re about to tell you is very, very bad. So bad, in fact, that we admit that it might be the worst vulnerability we’ve seen, ever, on Mac OS X.”

    What’s with all the pumped up paranoia? I’m a programmer myself and these exploits are so unbelievably benign and are getting way more attention than they deserve. Compare these exploits, ones that require some kind of user interaction, to those that affect Windows that require only that a computer be connected to the internet. The Sasser worm that spread recently only required that an unpatched Windows computer be connected to the internet! That’s it, the user didn’t have to do anything to get it. Not to mention the Windows worms automatically reproduce themselves and cause tons of headaches to millions of people.

    These two exploits can easily be worked around (don’t use Safari or change the disk and telnet protocol handlers), cannot be run as root or with super-user privileges thereby limiting the amount of trouble they can cause, and can be avoided. Compared to what the Windows world has to deal with, these exploits are trivial.

    Don’t worry, Apple will fix them and in the mean time, do what is needed to work around them.”

    Taken from:

  6. you’d have to be a fool to think that there are NO security holes in MacOSX. It stands to reason that there are going to be some. There are no viruses YET…but there will be.

  7. August-

    I’m not sure. The only thing I’ve read about differences concerning this hole is that the most recent Apple Security Update makes changes to the Terminal in Jaguar but not Panther.

    I have Panther, and “disks” shows up for me, right next to “disk”. So maybe your guess is correct, and this is another difference between the two.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.