[2004年5月24日更新：If you just want to know the steps I recommend to close the various URI-related vulnerabilities, see “An Ounce of Prevention”。]
关键的问题Mac OS X安全建议announced earlier this week is that certain of the system’s default handlers for custom URI protocols expose exploitable security holes.
2004年5月22日更新：Apple发布了针对Panther的安全更新2004-05-24(and a separate更新捷豹）Included in this update is a new version of Help Viewer, which eliminates this security problemAfter installing this security update, it is safe to assign the ‘help’ URI protocol to Help ViewerHowever, this security update has no effect on the handling of the ‘disk’, ‘disks’, or ‘telnet’ protocols看到这个后续行动for more details.
The ‘disk’ and ‘disks’ protocols, by default assigned to DiskImageMounter, allow disk images to be mounted in your file system automatically.
The basic idea behind the exploit is that a malfeasant could set up a web page that (a) mounts a disk image on your system, and then (b) uses the ‘help’ protocol to trick Help Viewer into executing a malicious script at a known path location on the disk image volume automatically mounted in step (a).
这是真实的，可能是令人讨厌的I have yet to see any reports of the exploit actually being used maliciously, but it’s worth protecting againstHere are a few simple things you can do to protect your system:
下载RCDefaultApp, a free System Prefs panel from Rubicode. Install it in the PreferencePanes folder in your Library folder.
'救命'protocols to “<disabled>”.
更新：You should also disable to the ‘telnet’ protocol; see这里详情。
You should also open Safari’s preferences, and turn off the checkbox “Open ‘safe’ files after downloading” — when turned on, this setting allows disk images to be mounted automatically.
The fact that Help Viewer can execute scripts specified via ‘help’ protocol URIs is a feature that ostensibly allows for the creation of somewhat interactive help books例如an application’s help book could contain an AppleScript, linked from the help book’s HTML, that would illustrate some particular pointHowever, I’m unaware of any help books that actually use this feature.
MisFox and More Internet are similar utilities to RCDefaultApp, and are also both free, but there is an important differenceMisFox and More Internet both only show URI protocols registered through the Internet Config system; RCDefaultApp also shows protocols registered directly through Launch Services.
正如我几周前在“Fixing Corrupt Preferences for Default Internet Helpers”, Internet Config is a set of APIs that dates back to System 7On Mac OS X, the Internet Config APIs are still supported, but they’re just a layer on top of Launch Services来自Apple的“Internet配置参考介绍“：
Mac OS X applications should employ Launch Services and System Configuration for managing Internet preferencesIn Mac OS X, Internet Config calls through to these newer APIs. Using them directly increases your applicationÔøΩs efficiency.
The ‘disk’ and ‘disks’ protocols are registered directly in Launch Services, which means they aren’t displayed in MisFox or More Internet即，RCDefaultApp显示所有the protocol handlers registered on your system; MisFox and More Internet only display the protocols that are registered through Internet Config.
Plus, version 1.1 of RCDefaultApp, released earlier this week, introduced the feature that allows you to assign a protocol to “<disabled>”This is a more elegant solution than assigning these protocols to dummy applications, such as Mac OS X’s Chess game.