Headline Feeds
A Danish IT security company published an advisory Monday that warns of two Uniform Resource Identifier (URI) flaws in at least two Web browsers that run on Mac OS X.
Secunia wrote that it has confirmed these vulnerabilities in Safari 1.2.1 and in Microsoft's (Nasdaq: MSFT) Internet Explorer (IE) 5.2. The firm also stated that the flaws might affect other Mac OS-compatible browsers.
The company updated its rating of the flaw Tuesday from critical to extremely critical because so many working exploits are obtainable.
No Help
According to Secunia, malicious Web sites can compromise Mac OS X computers in two ways. A "help" URI handler can execute what the firm termed an "arbitrary local script (.scpt)" through "the classic directory traversal character sequence using 'help:runscript.'"
In addition, the flaw also allows malicious sites to secretly put random files on a victim's computer by using the "disk" URI handler.
A URI is a string of characters, such as "ftp:" or "http:" that points the browser window to the proper resource. Secunia said that no solution exists to combat this set of vulnerabilities.
The company recommends that OS X users avoid "untrusted" Web sites, rename any URI handlers that are not necessary, and not use the Web as a "privileged user."
No Reply
Secunia first learned of these vulnerabilities from someone with the handle "lixlpixel." Lixlpixel asserted that he first told Apple (Nasdaq: AAPL) about the problem back on February 23rd but has yet to receive a reply.
Lixlpixel decided to come forward with the information because "these 'exploits' are on the rise, and it's so easy to protect yourself."
According to lixlpixel, users need to download a freeware preference panel called More Internet, which works by giving users the ability to decide which applications they want to set as Internet protocol helpers.
On its Web site, Secunia did not confirm whether More Internet's application would solve the problem.
Talkback: 
