Macworld - In what is being described as a "highly critical" vulnerability, security firm Secunia on yesterday issued an advisory to all Mac OS X users that surf the Web with Microsoft Corp.'s Internet Explorer or Apple Computer Inc.'s Safari Web browsers.
The vulnerability, which was first reported by lixlpixel and confirmed by Secunia, takes advantage of the "help" URI handler and "allows execution of arbitrary local scripts (.scpt) via the classic directory traversal character sequence using 'help:runscript.'"
The result of the vulnerability, which has been confirmed using Safari 1.2.1 (v125.1) and Internet Explorer 5.2, is that it is "possible to place arbitrary files in a known location, including script files, on a user's system if the Safari browser has been configured to ("Open "safe" files after download") (default behavior) by asking a user to download a ".dmg" (disk image) file."
Secunia recommends opening Safari preferences and uncheck "Open 'safe' files after download.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
