More examples of the same problem previously mentioned.
Instead of putting "Download Validation" in LaunchServices, create a separate interface for programs that are opening untrusted documents and files that only contains applications that are designed to deal specifically with untrusted objects. These applications would tend to be "viewer" versions, with editing, scripting, and of course any kind of automatic unpacking or installing disabled. For example, they might have...
This would not just eliminate these problems, it would make other problems (like the Preview
and BOM holes, that could be exploited through Open Safe Files) from big
security problems to little reliability problme.
- An archive application that just displays the contents of the archive, and lets you decide what to do with it. And, of course, uses this "WebServices" interface to open documents in the archive.
- Something like Microsoft's "Word Viewer" application, that lets you view Word documents on Windows without being able to run scripts.
- An FTP client that is limited to downloading files and (of course) uses "WebServices".
- And so on... and most importantly it wouldn't contain handlers for things like "help:" or "x-man-page:" or any scripting language... so even if they manage to hide something in an archive that's pointing to the "wrong" type there won't be any handler for it to take advantage of...