Real live link vulnerability for Mac OSX

I don’t think this has appeared in the wild yet, but no doubt it will soon. It’s an exploit that allows someone to execute arbitrary code on OSX just by visiting a website, regardless of browser, by using Javascript to download a disk image and then using Javascript to open help://Volumes/Rootkit/Rootkit.script. The browser passes the request on to the Help Viewer, which will gladly execute code. The exploit is being discussed on the MacNN Forums and has been summarized on TidBITS.

No solution from Apple yet (though apparently they’ve known about it for two months already — sheesh), but a stop-gap solution is to install MonkeyFood Software’s free MoreInternet and then set the helper app for type “help” to some innocuous program like “chess.”

On the minus side, it’s sad to see OSX suffering the same pain I’ve teased Windows users about all these years. On the plus side, I’d been meaning to play more chess anyway…

UPDATE: In flaming about the above exploit, the MacNN folk found a variation that doesn’t have a full work-around, though you can make it harder for an attacker to get the payload to your machine. See the top of the thread for details.