(update: May 20 - i got a reply, it should be fixed soon)
(update 2: May 22 - Thank you, Apple. the fix is out...
go to Software Update in your Preferences to download and install it.)

i told Apple on 23rd of February about this and never got any reply.
so i kept quiet but since these "exploits" are on the rise and it's so easy to protect yourself - here you go :

this is made possible, because there's a link which tells Apple HelpViewer to open programs you specify.

of course you have to know the exact location of the program on the computer, and this can be a problem,

since all .dmg files are mounted in the same location.

so after the user mounted the .dmg file it could be possible to trick someone to click this link to start HelpViewer.

---

it seems that changing the protocol-helper for "help:" is one temporary solution for this.

there is an application to download named moreInternet, a freeware preference panel

to specify which applications are set as helpers for internet protocols (made by monkeyfood.com),

which you can use to change the "help:" protocol to some other program.
(note that this has to be done for each user on the computer)

---

phparadise | phpsnippets | RSS news feeds | apple news | lixlpixel 2004