{"vuid":"VU#210606","idnumber":"210606","name":"Apple Mac OS X \"disk://\" URI handler stores arbitrary files in a known location","keywords":["Apple","Mac OS X","Safari",".dmg",".scpt"],"overview":"A vulnerability has been reported in the default \"disk://\" protocol handler installed on Apple Mac OS X systems. Remote attackers may potentially use this vulnerability to create files on the local system without explicit user consent. We have not independently verified the scope of this vulnerability report.","clean_desc":"A vulnerability has been reported in the Apple Mac OS X default \"disk://\" URI Handler. If able to entice a user to visit a foreign web site,  a remote attacker may potentially be able to download any arbitrary file to a known location on the local system. If the file is a disk image (\".dmg\"), it could be automatcially mounted as a disk volume available for use by an attacker. A separate vulnerability, VU#578798, has also been reported which may allow a remote attacker to execute arbitrary application files contained within a mounted disk image. Browser or applications supporting \"disk://\" URIs.","impact":"A remote attacker may be able to download arbitrary files to a known location on a potentially vulnerable system.","resolution":"Security Update 2004-06-07 has been released for the following system versions: Mac OS X v10.3.4 \"Panther\"\nMac OS X Server v10.3.4 \"Panther\"\nMac OS X v10.2.8 \"Jaguar\"\nMac OS X Server v10.2.8 \"Jaguar\" This update removes the \"disk://\" URI handler.","workarounds":"According to the posting on Secunia, implementing all three of the following steps may mitigate this vulnerability: 1) Uncheck (\"Open 'safe' files after downloading\"); 2) Change the protocol helpers (applications) for URI handlers which are not required, e.g., disable the \"help://\" handler; 3) Add a separate protocol helper (application) for \"disk\".","sysaffected":"","thanks":"Thanks to Kang for reporting this vulnerability.","author":"This document was written by Jason A Rafail of CERT/CC and is based on information from Secunia.com and SecurityTracker.com.","public":["http://secunia.com/advisories/11622/","http://www.securitytracker.com/alerts/2004/May/1010167.html"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2004-05-21T19:15:53Z","publicdate":"2004-05-17T00:00:00Z","datefirstpublished":"2004-05-21T21:58:48Z","dateupdated":"2006-05-01T19:31:06Z","revision":10,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"20","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"8","cam_impact":"12","cam_easeofexploitation":"20","cam_attackeraccessrequired":"20","cam_scorecurrent":"18","cam_scorecurrentwidelyknown":"18","cam_scorecurrentwidelyknownexploited":"32.4","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":18.0,"vulnote":null}