Apple今天发布安全更新2004-06-07(for both 10.3.4 and 10.2.8)The easiest way to install it is via Software Update从记录的变化来判断发行说明, this update closes all the URI/Launch Services-related vulnerabilities that have been publicized in the last monthI’ve tested the update on three Macs, and indeed, it closes every vulnerability I’m aware of.
Even better, the release notes contain useful descriptions of the updated components and the vulnerabilities that have been closed. It’s not just better-documented than usual, it’s just flat-out well-documentedRead both of the above-linked documents, and you’ll know everything you need to know about the updateDocumentation like this is exactly what I wished for in “安全无法旋转”。
The gist of Apple’s solution is that when Launch Services attempts to自动launch an app that you’ve never before manually launched, it presents a confirmation dialog before launching the app. This solves the vulnerability where unknown apps could be launched automatically, and does so without removing any functionality.
我已经更新了我的页面说明for dealing with these vulnerabilities; the short version is that you simply need to update to the latest version of Panther or Jaguar (10.3.4 or 10.2.8), and then install all recent security updates.
If you previously used RCDefaultApp or More Internet to disable vulnerable URI protocols, you can re-enable them if you wantNote, however, that Security Update 2004-06-07移除了the ‘disk’ and ‘disks’ protocols from your Launch Services databaseThese protocols simply no longer existIn addition, DiskImageMounter has been modified such that it will no longer mount volumes via these protocols, even if you were to re-enable them (the protocols).
If you want to turn Safari’s “Open ‘safe’ files” preference back on, it’s probably safeI.e., there are no known remaining vulnerabilities you’d be exposed toHowever, I think one of the lessons of this saga has been that it’s unwise to think there exists such a thing as a “safe file” that can be opened automatically after it’s been downloadedIn the spirit of “better safe than sorry”, I’m leaving this preference off.