[ISN] Mac browsers vulnerable to hackers
InfoSec News
isn at c4i.org
Tue May 18 06:14:55 EDT 2004
http://www.macworld.co.uk/news/main_news.cfm?NewsID=8696
By Macworld staff
May 18, 2004
Computer security firm Secunia is warning of a new security
vulnerability affecting Mac Internet browsers Safari 1.x and Internet
Explorer 5.x.
The report claims the weakness: "Potentially allows malicious Web
sites to compromise a vulnerable system".
"The problem is that the "help" URI handler allows execution of
arbitrary local scripts (.scpt) via the classic directory traversal
character sequence using 'help:runscript'", the warning explains.
This makes it possible for malicious computer users to place
"arbitrary" files (including script files) in a known location on a
user's system - but only if either browser has been set-up to open
safe files after they are downloaded. This is the default browser
setting.
Secunia recommends users switch off the latter capability in Safari's
preferences folder; that they do not go online as a "privileged user"
and that they rename the help handler, though no instructions related
to the latter are avaiable.
More information about the ISN
mailing list