search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Apple Mac OS X "disk://" URI handler stores arbitrary files in a known location

Vulnerability Note VU#210606

Original Release Date: 2004-05-21 | Last Revised: 2006-05-01

Overview

A vulnerability has been reported in the default "disk://" protocol handler installed on Apple Mac OS X systems. Remote attackers may potentially use this vulnerability to create files on the local system without explicit user consent. We have not independently verified the scope of this vulnerability report.

Description

A vulnerability has been reported in the Apple Mac OS X default "disk://" URI Handler. If able to entice a user to visit a foreign web site, a remote attacker may potentially be able to download any arbitrary file to a known location on the local system. If the file is a disk image (".dmg"), it could be automatcially mounted as a disk volume available for use by an attacker. A separate vulnerability, VU#578798, has also been reported which may allow a remote attacker to execute arbitrary application files contained within a mounted disk image.

Browser or applications supporting "disk://" URIs.

Impact

A remote attacker may be able to download arbitrary files to a known location on a potentially vulnerable system.

Solution

Security Update 2004-06-07 has been released for the following system versions:

    • Mac OS X v10.3.4 "Panther"
    • Mac OS X Server v10.3.4 "Panther"
    • Mac OS X v10.2.8 "Jaguar"
    • Mac OS X Server v10.2.8 "Jaguar"

This update removes the "disk://" URI handler.

According to the posting on Secunia, implementing all three of the following steps may mitigate this vulnerability:

1) Uncheck ("Open 'safe' files after downloading");
2) Change the protocol helpers (applications) for URI handlers which are not required, e.g., disable the "help://" handler;
3) Add a separate protocol helper (application) for "disk".

Vendor Information

210606
 
Affected   Unknown   Unaffected

Apple Computer, Inc.

Updated:  May 21, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to Kang for reporting this vulnerability.

This document was written by Jason A Rafail of CERT/CC and is based on information from Secunia.com and SecurityTracker.com.

Other Information

CVE IDs: None
Severity Metric: 18.00
Date Public: 2004-05-17
Date First Published: 2004-05-21
Date Last Updated: 2006-05-01 19:31 UTC
Document Revision: 10

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.