Serious OS X Security hole
Bleeping huge security hole
Mac OS X: Highly Critical Security Flaw
etc, etc, etc...
An Open Letter to Apple

Having a single set of bindings for trusted and untrusted sources is why Internet Explorer and Outlook have been security nightmares for most of the past decade.

I can understand Microsoft doing this: they have political reasons for "integrating" the desktop and the browser (they're not good reasons... trying to weasel out of an agreement with the DoJ is never a good reason). I can't understand Apple, though: there should be at least *two* unrelated sets of bindings... one to be used for applications that work with local documents and one for applications that work with untrusted documents... and the bindings for applications that work with untrusted documents should be *absolutely* minimal.

In fact, by default and in the absence of explicit user action nothing should ever be transferred from an untrusted document to another application, or any integration of trusted and untrusted namespaces. That includes:

Helper application for URL protocols (eg help:)
Helper applications for mime types (eg video/windows-media)
Helper applications for file extensions (eg .wma, .zip)
Internet-enabled disk images and installers.

If the target application is not known to be suitable for handling untrusted data, it must not be passed untrusted data.

If an application is known to be suitable for handling untrusted data, it must not be presented with helper applications that aren't similarly trusted.

This is a really basic security principle, one that nobody I know would have imagined would be commonly violated until Microsoft not only kicked it over but refused to pick it up again. For gods' sake, folks, don't accept the same insanity from Apple, and don't let Apple get away with a one-shot patch just for this specific instance of the problem... that way lies the Outlook-exploit-of-the-week syndrome.

Followup: Apple's patch doesn't address the underlying problem at all, see Another Open Letter to Apple.

Followup: The difference between what I'm proposing and Microsoft's "zones" is that rather than basing the security level on things like where the HTML control found the file, it would be explicitly passed to the HTML control by the application that was presenting it. Further, it would not be possible for the HTML control to raise the security level. Either the HTML control would make callbacks to the parent application to load embedded objects and links (which is my preferred model), or any links or embedded objects would inherit the security level from their source... they could lower the trust level, but not raise it.

Followup, six years later, another security hole in the help viewer expoitable by untrusted web pages: And, again, Apple...

IO
Lynx-enhanced by <peter at taronga.com> (Peter da Silva) Get Firefox - The Browser Reloaded