Ok, CNet needs to turn their attack dogs away from Apple. When ever there is a security issue with Apple CNet is there to start bashing them, but when Microcrap doesn't do anything about a security flaw that they have known about for 6 months, does anyone say anything?

Apple was notified of this in February. No response until shamed in the media, absolutely unacceptable.
Besides shoddy code M$'s achilles heel is ActiveX that can execute machine code (like reformat the hard drive) and is accessible in nearly every application. Applescript, while not able to do as much regarding system level or machine level calls is still way too powerful to allow to be run remotely or at least without overt permission.
M$'s excuse for the ActiveX presence is that it enhances their application interoperabilty, that is the same reason Apple allowed this, for a better help system. Time for a review priorities and close doors left open for sheer convenience.
BTW, Cnet is bad but did you catch how InformationWeek (M$ cheerleader extraordinaire) positioned it as "yet another flaw" hee hee hee, they'll be cheering into the vacuum for Longshot for the next, what, four years?!? Still Apple pulls this ivory tower c*** often and they should be leading the efforts to find and quash bugs instead of ignoring them, leadership, we need leadership not status quo!

M$'s excuse for the ActiveX presence is that it enhances their application interoperabilty, that is the same reason Apple allowed this, for a better help system. Time for a review priorities and close doors left open for sheer convenience.

Sorry, but to me, at least, the help system requires this usage. But its not a hole in the help system. And the user shouldn't need to be prompted every time you click on a 'show me how' or 'open this' link in help.

The problem, however, isn't in the help system. This would be solved completely if they didn't have the "help:" protocol set up. Why that's there is beyond me, but this is what's causing all the problems. This is the question about priority. Is it needed for some reason? Is it used by programs to launch the help viewer, or intended to be used by web sites to point to help pages? Is it in there because half of Apple's help system is on-line vs. local? These are the questions that need to be answered. All the pieces aren't the problem, its just why is one piece allowed to call another?

(BTW, technically you could have a trojan program which has a help file with a link to launch a malicious script, but technically why would anyone bother, as the program itself could launch the script).

yes, i was aware of gurlfriend. that's why my last line was about the modification of the script. i didn't like that idea after reading the posts, so i figured default handling would be a better route. the author of rcdefaultapp has updated to 1.1 allowing to disable certain urls such as disk and help. that's what i want. to repeat my previous post, is this the best fix for us?

re: mozilla/firefox
security issue is in the mac os, so it affects all browsers, not just safari.

re: opnapp.scpt
the other thing you need to realize is that opnapp.scpt is included with other language localizations, not just english. i'm not sure if gulrfriend nips every one of em, but if you have more than just english installed (which is quite a lot of people on a standard mac os x install), you have a lot of opnapp.scpt files on your mac already.

keeping my eyes open for a security update really soon in software update.

Closing this hole would in no way make you respond to a dialog every time you used help. This is a pretty specific scenario that would only affect a miniscule percentage of help instances if any in regular daily usage and doesn't undermine the quality of the help experience. Any program that can run code outside of itself should not be able to be controlled via url's. We like our safe macs but they are that way because the original system was not designed to be managed from the outside. UNIX always was and Apple has done an exemplary job buttoning it up, funny that it's a oversight in Apple's own stuff that allows for this. This will not be the last snafu but as long as the community is diligent hopefully issues will be preemptive or short lived as both of these have and Apple just needs to be more responsive and seem like they care.

Ok, CNet needs to turn their attack dogs away from Apple. When ever there is a security issue with Apple CNet is there to start bashing them, but when Microcrap doesn't do anything about a security flaw that they have known about for 6 months, does anyone say anything?

Uh, yes?

Don't be so thin skinned. Just because CNET wrote " "Apple has twice been criticized" you get all riled up? MS has been criticized a billion times for its security flaws - just because you do not read them does not mean it did not happen.