Help Viewer security vulnerability

This page demonstrates a security vulnerability in the Mac OS X Help Viewer application, which can execute local applications via a "help:runscript" url.

This page first gets a demonstration application (in this case a benign compiled AppleScript) onto your machine by having an iframe with a source url which points to a disk image file (this causes the browser to download the .dmg file). A few seconds later (giving time for the download to complete) it sets the source of the iframe to the help url, which causes the Help Viewer application to launch the file from the disk image.

In Safari, you have to click this link to get the disk image contents to execute. (In Mozilla-based browsers, this happens automatically.)

Other scripts that can be run locally

Using help:runscript urls, any AppleScript that has a known location by be run by a remote web page.

Some examples:


Simon Fraser
smfr@smfr.org