Brian Mastenbrook: Security Update 2009-002 / Mac OS X v10.5.7

Security Update 2009-002 / Mac OS X v10.5.7 is now available from Apple for users of OS X 10.4 and 10.5. Two closely-related issues I reported have been addressed in this release:

• Help Viewer

  CVE-ID: CVE-2009-0942

  Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6

  Impact: Accessing a maliciously crafted "help:" URL may lead to arbitrary code execution

  Description: Help Viewer loads Cascading Style Sheets referenced in URL parameters without validating that the referenced style sheets are located within a registered help book. A malicious "help:" URL may be used to invoke arbitrary AppleScript files, which may lead to arbitrary code execution. This update addresses the issue through improved validation of file system paths when loading stylesheets. Credit to Brian Mastenbrook for reporting this issue.

• Help Viewer

  CVE-ID: CVE-2009-0943

  Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6

  Impact: Accessing a maliciously crafted "help:" URL may lead to arbitrary code execution

  Description: Help Viewer does not validate that full paths to HTML documents are within registered help books. A malicious "help:" URL may be used to invoke arbitrary AppleScript files, which may lead to arbitrary code execution. This update addresses the issue through improved validation of "help:" URLs. Credit to Brian Mastenbrook for reporting this issue.

Both of these issues are slight variants on an issue that was originally fixed in Security Update 2004-05-24 for OS X 10.2 and 10.3. While that update addressed the symptom of the issue, it did not fully address the root cause. The Help Viewer application includes a URL scheme "help:" which may be used to open help pages from other applications, including Safari. This URL scheme originally allowed any application to use the "help:runscript" form of the URL to invoke an arbitrary AppleScript on the user's filesystem. Security Update 2004-05-24 changed Help Viewer so that only the Help Viewer application itself could use the "help:runscript" URL to invoke a script.

However, several other forms of the URL could still be invoked by Safari, and it was possible through the use of a file on the user's computer to redirect Help Viewer to a "help:runscript" URL. In combination with a download that placed a stylesheet or HTML file and an AppleScript file on the user's computer, this could be used to execute arbitrary AppleScript code on a victim's computer without any prompting.

This issue affects users of OS X 10.2 or later. Apple does not issue security updates for operating systems earlier than 10.4. I would strongly advise users of earlier versions to upgrade or discontinue use of the operating system as enough information is available in Apple's release note for attackers to construct a malicious web site which takes control of victims' computers.