Re: Serious Mac OS X vulnerabilities addressed by Apple update of 6/7

From: Aron Roberts <aron_at_socrates.berkeley.edu>
Date: Tue Jun 08 2004 - 13:42:57 PDT

Hi Effie,

At 13:16 -0700 2004-06-08, Effie Dilworth wrote:
>I did what both John Gruber and Secunia suggested, and then did the
>combo MacOS update from early last week. Is it OK to leave in the
>change to Info.plist that I believe Gruber recommended?

   Assuming you've also installed Apple's "Security Update
2004-06-07," yes, any changes that you (or others) made previously
using tools like the RCDefaultApp or More Internet system preferences
panes to protect your system from these vulnerabilities - such as the
modifications described at
<http://daringfireball.net/2004/05/unsafe_uri_handlers> - should be
OK to leave alone.

   If you wish, you can use RCDefaultApp to re-enable handling of the
"help://" and/or "telnet://" protocols by their default applications,
Help Viewer (/System/Library/CoreServices/Help Viewer.app) and
Terminal (/Applications/Utilities/Terminal.app), respectively, now
that both of these applications' vulnerabilities have been addressed,
but that's strictly up to you.

   As John Gruber wrote <http://daringfireball.net/2004/06/security_update>:

>If you previously used RCDefaultApp or More Internet to disable
>vulnerable URI protocols, you can re-enable them if you want. Note,
>however, that Security Update 2004-06-07 removes the 'disk:' and
>'disks:' protocols from your Launch Services database. These
>protocols simply no longer exist. In addition, DiskImageMounter has
>been modified such that it will no longer mount volumes via these
>protocols, even if you were to re-enable them (the protocols).

   Here are Gruber's 'current and up-to-date' instructions about how
to address this set of Mac OS X security vulnerabilities, now
entirely via Apple updates:

   http://daringfireball.net/2004/05/ounce_of_prevention

Aron Roberts
Workstation Software Support Group

(cc'ing MAGNet with Effie's permission, with a changed subject line
to reflect the primary topic ...)

------------------------------------------------------------------------
The following was automatically added to this message by the list server:

For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.
Received on Tue Jun 8 13:44:22 2004

This archive was generated by hypermail 2.1.8 : Tue Jun 08 2004 - 13:44:22 PDT