Today, another MacOS X security hole was found.
This one allows arbitrary scripts and commands
to be run using two protocols - help: and disk:

An example can be found here:

http://bronosky.com/pub/AppleScript.htm

[It will issue a non-destructive command using
the Terminal].

I have found a workaround for this - it involves
turning off Apple's Help Viewer application, which
effectively disables the help: protocol:

% sudo chmod 000 /System/Library/CoreServices/Help\ Viewer.app

I fear that this security hole may also affect
AppleScript-aware applications that support the
"runscript" command.

I don't know yet how to disable the disk: protocol.

Alex