jmothy, that worked perfectly - thanks! I'd encourage everyone to patch that script - all you need to do is navigate to the the file in the Finder (using 'Show Package Contents' when appropriate) and then open it into Script Editor. Works like a charm.

Klinux, that's exactly why I asked for some proof or examples.

They indeed modified lots of things, but to claim they "compromised" the underlying architecture is completely baseless, unless we are shown proof of some "new" and unknown evidence.

Therefore I claim it's fear, uncertainty and doubt (thanks, I know what FUD is). Fear of being hacked, uncertainty because he doesn't know what he's talking about and I doubt he should have voiced his uneducated allegations.

There you go wise guy. Think, then post.

Look up the definition of FUD - it describes an unethical marketing technique. You may fear shiny objects, be uncertain of your next paycheck, and have doubt about your future prospects but that does not make it FUD.

This threat is real - whether you are a zealot or not.

This problems allows the Help Viewer to execute any UNIX command via clicking a link.

As far as I know, this problem does not occur with any other *nix. Would love to see evidence showing otherwise.

You can babble all you want, but it has nothing to do with my initial criticism which still stands.

This statement is not true: Apple is trying to make a user-friendly UNIX by compromising the basics of UNIX.

Until I see an example which proves this statement (and not some other story I never mentioned), I'll take it for the bull it is.

"The flaw works with any browser,"

It does not appear to work with Mozilla on my Macs.

The article (New Security Hole Found in OS X) in eWeek: http://www.eweek.com/article2/0,1759,1594660,00.asp

quotes Thomas Kristensen, chief technology officer of security company Secunia, of Copenhagen, Denmark, who said:
"All operating systems and software have flaws, and it's dangerous to categorize one OS as more secure than another."
What I'd like to know is WHY is it dangerous to do this if it is the TRUTH. Seems to me this kind of information would be very helpful to someone wishing to find an OS that has a good security track record, and/or to avoid the ones that don't.

And then he says: "Unless a system is built from the ground up with its focus on security, you're going to have plenty of holes. Apple's focus with OS X is ease of use first and foremost."
What is his basis for this statement? Does he have inside info from Apple that tells him that they put security down on their list? Since OSX does NOT have "plenty of holes" then this fact alone should prove that Apple DOES have a sharp focus on security. This guy is spouting B.S.

My opinion of these so-called "securty experts" is getting worse every day.

This problems allows the Help Viewer to execute any UNIX command via clicking a link.

As far as I know, this problem does not occur with any other *nix. Would love to see evidence showing otherwise.

It could happen with any program, it just may be no one has found one yet (h***, it took someone, what at least 6 months to find this problem). Some would argue its not an OS problem at all, since the GUI isn't part of the OS (so Apple's 'bastardization' isn't at fault), and this is more of a GUI/OS X problem then an underlying Aqua problem.

Oh, and most people would find apple's use of a case insensitive file system an EXTREMELY GOOD THING! One huge problem most *nixes have is the stupid world of 8 files called Readme, all cased differently. Or just having to remember to type in the correct case to get a file to open. Its just plain stupid-a**, but its the way its always been, and the unix geeks like it that way (keeps the mentally challenged PC users off their systems so they can feel they're part of their own club).

There isn't much you can do from the terminal unless you grant administrative or root access. That requires the user enter their password for administrative access, and root access have the knowhow to enable root. So even if it was a serious flaw, it isn't as bad as Windows which grants root access even to the most unsuspecting user.

Boy, you people like to spew, don't you. This problem IS serious, as it allows a user to click a hyperlink and have something executed. To say "Its no big deal because you don't have admin rights" is just silly. First, you can still have everything you have permissions on to be deleted. Second, it could be used to install trojans, sniffers, or other programs for later execution.

To claim its FUD is baseless.

As for this quote:
And then he says: "Unless a system is built from the ground up with its focus on security, you're going to have plenty of holes. Apple's focus with OS X is ease of use first and foremost."

Its completely wrong. It doesn't matter if your focus is on security or not. You can still have holes. You'd need ultra-high-end code review, re-review, plus a group of people doing the ol' "thinking outside the box" to look for security holes in their software. And even with all that, it still can contain flaws. OpenSSH (from OpenBSD, which is supposed to follow this whole 'security from the ground up concept') has had vulnerabilities found. The Linux and open-source crowd, who crow about how holes can be found by the hundred idiots at the bazaar, still let out software with security holes in it.

There's only ONE way to keep your computer and OS secure. Don't turn on the computer.

"It could happen with any program, it just may be no one has found one yet "

Arguing the negative? So I can say Apple is thw most insecure OS EVER but it may just be it has not been proven yet so it is true?

And had Apple gone with being case sensitive and UNIX case insensitive, watch all the zealots here proclaim how great case sensitivity is just because Apple supports it!

Also, Simon, messing with case insensitivity and directory structure is compromising one of the basics of UNIX. I do not know how much more basic do you want to get.

> Also, Simon, messing with case insensitivity and directory structure is compromising one of the basics of UNIX. I do not know how much more basic do you want to get.

klinux, would you please read what I actually wrote and think before you post. I never said they didn't fiddle with case sensitivity or directory structure.

But the stuff they did has nothing to with this exploit and it has even less to do with security. Bauhaus' original post was bullshit and nothing you have posted changed anything about that.

This is a board to discuss. That means reading what other people say and arguing those issues. If you want to just listen to yourself babble and miss other people's point you should perhaps try a tape recorder instead.

If you know what you're doing this is the easiest fix: Change Help Viewer's Info.plist. Change the NSAppleScriptEnabled property from true to false. Took me two seconds and none of the proof of concept pages I've visited (I've visited all the ones I could find) don't work. Help launches but nothing happens after that.