Forgot your password?
typodupeerror
Apple

babbage's Journal: General URI handling problem with OSX?

Journal by babbage

It occurs to me that the recent Safari/Help security issue in OSX could be broader than is being generally portrayed so far.

Consider: the fundamental issue here is that an OSX web browser -- Safari in the original reports, but apparently also Mozilla etc -- is acting as a broker for any URI that the user may come across, delegating the request out to external handler programs. Whether those external programs handle their URIs safely may be an open question.

The problem isn't really that Safari or Help is broken, but that the interaction between them, arising from the URI handling mechanism on OSX, is leading to Unintended Consequences.

OSX can handle many different URI namespaces, some of which seem to be used nowhere other than OSX. I'm having a hard time finding an exhaustive list of the URI protocols that OSX supports, but a partial list includes, in no particular order:

http://
https://
ftp://
mailto://
ssh://
telnet://
aim://
afp://
nfs://
smb://
sherlock://
itms://
daap://
help://

So far, I can think of published vulnerabilities in the telnet:// and now help:// protocols, but is that the end of it, or is the whole framework vulnerable to these sorts of attacks?

I have a hunch that we're just seeing the thin edge of the wedge...

This discussion has been archived. No new comments can be posted.

General URI handling problem with OSX?

Comments Filter:

Somebody ought to cross ball point pens with coat hangers so that the pens will multiply instead of disappear.

Working...