Wednesday, May 19 2004

“Hey, I’ve got a great idea! Let’s make it scriptable!”

This Mac security hole has been all over the web recently. The thing that makes it dangerous is that it’s ridiculously easy to exploit. The thing that makes it annoying is that anyone on the development team should have seen it coming a mile away, especially given the many well-publicized scripting exploits in Windows software.

How did it happen? WebCore. In an effort to produce a common HTML/HTTP library for all applications, functionality that used to be restricted to the Help tool was suddenly embedded in everything that retrieved or displayed web pages. Apple’s pervasive AppleScript support completes the circle.

Ask not what you can do with scriptable applications; ask rather what scriptable applications can do to you…

Update: The official fix is available via Software Update.

Update: You still need to turn off the Open “safe” files after downloading option in Safari, because disk: URLs still work, and mounted disk images can include auto-execute programs. Yes, there are two stupid features in the previous sentence.