search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Apple Mac OS X "disk://" URI handler stores arbitrary files in a known location

Vulnerability Note VU#210606

Original Release Date: 2004-05-21 | Last Revised: 2006-05-01


A vulnerability has been reported in the default "disk://" protocol handler installed on Apple Mac OS X systems. Remote attackers may potentially use this vulnerability to create files on the local system without explicit user consent. We have not independently verified the scope of this vulnerability report.


A vulnerability has been reported in the Apple Mac OS X default "disk://" URI Handler. If able to entice a user to visit a foreign web site, a remote attacker may potentially be able to download any arbitrary file to a known location on the local system. If the file is a disk image (".dmg"), it could be automatcially mounted as a disk volume available for use by an attacker. A separate vulnerability, VU#578798, has also been reported which may allow a remote attacker to execute arbitrary application files contained within a mounted disk image.

Browser or applications supporting "disk://" URIs.


A remote attacker may be able to download arbitrary files to a known location on a potentially vulnerable system.


Security Update 2004-06-07 has been released for the following system versions:

    • Mac OS X v10.3.4 "Panther"
    • Mac OS X Server v10.3.4 "Panther"
    • Mac OS X v10.2.8 "Jaguar"
    • Mac OS X Server v10.2.8 "Jaguar"

This update removes the "disk://" URI handler.

According to the posting on Secunia, implementing all three of the following steps may mitigate this vulnerability:

1) Uncheck ("Open 'safe' files after downloading");
2) Change the protocol helpers (applications) for URI handlers which are not required, e.g., disable the "help://" handler;
3) Add a separate protocol helper (application) for "disk".

Vendor Information


Apple Computer, Inc. Unknown

Updated:  May 21, 2004



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



Thanks to Kang for reporting this vulnerability.

This document was written by Jason A Rafail of CERT/CC and is based on information from and

Other Information

CVE IDs: None
Severity Metric: 18.00
Date Public: 2004-05-17
Date First Published: 2004-05-21
Date Last Updated: 2006-05-01 19:31 UTC
Document Revision: 10

Sponsored by CISA.