Filed under: Internet, Security
Safari 'carpet bombing' exploit could be serious
A zero-day vulnerability in Safari that could litter a user's desktop (or downloads folder) with arbitrary files is a serious security flaw, argues ZDNet, and not a mere "annoyance" as Apple claims. In theory, a user must click a link to visit a malicious website that can begin downloading arbitrary files (including applications) to the user's computer without their permission. The problem affects both the Windows and Mac versions of Safari.
Researcher Nitesh Dhanjani reported the flaw to Apple, which promised to patch it in a future release of Safari. ZDNet and StopBadware.org contend, however, that a patch should be released immediately.
It's old advice, but it bears repeating: be careful of the links you click, and know where they go before you click them.
Get a WordPress.com Blog
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
Cameron Moon said 12:53AM on 5-30-2008
ptshhh! Safari can't have an exploit, it is made by apple!
Reply
Justin said 12:59AM on 5-30-2008
Your name should be Cameron "Toon" cause you're a idiot... Just shut up... k? Thanx
gianpo said 1:03AM on 5-30-2008
So what if it downloads stuff into your downloads folder the stuff you download doesn't open by itself so just erase it. So like apple says its just an annoyance .
Reply
RobK said 9:59AM on 5-30-2008
You are obviously not seeing the BIG picture here. One of these files downloaded onto your Desktop could be (and likely will be) a malicious program. Even if the program does NOT require administrative rights, it can do a LOT of damage (like deleting all the files, photos and music in your home folder!). And if you think a average Mac user will not click on one of these new icons on the Desktop, you are gravely mistaken.
If the user is really stupid and grants the program administrative rights (by entering the User name and password of an administrator), then the game is over since the program could DO anything. (e.g. install spyware, grant remote access to your computer to the hacker etc).
Bugs like this one are NOT mere annoyances. I am also very surprised when I hear Apple users so confident that the Mac OS X is a secure OS. It is not. It is full of security flaws, some are known and many are not. With Safari being available on Windows, many more of Apple's insecure code will be revealed.
Almost all OS's have problems like this. The key is to patch them quickly. I hate to say it but MS does a very good job at quickly patching flaws. Even Linux / BSD goes a good job. But in my view, Apple is AWFUL. They are one of the slowest computer computers to patch flaws. IMHO, there needs to be a culture change at Apple.
Joseph said 1:29AM on 5-30-2008
Justin,
lighten up son!
Reply
Travis L said 1:59AM on 5-30-2008
Safari didn't see an update in the 10.5.3 update, and WebKit was not updated to the latest nightlies (Safari still does not pass Acid3 after 10.5.3 where as Latest WebKit does) so I think it's fairly safe to assume a Safari update will be pushed out the door rather soon, possibly at WWDC. Until then, Meh. This isn't major. If it could execute what it downloaded, then it'd be major. Until then, Safari will stay my default browser.
Reply
Cycomachead said 2:18AM on 5-30-2008
Wait a second, isn't this visiting a site that just has an auto download. Personally, I like it the way it is right now. I know what sites I got to. Also, is it 'littering' the downloads folder or the default folder for downloads? I have mine set to the desktop. I know pretty fast if something was there that shouldn't be. Of course, I might be stupid and click it out or curiosity, but that's me. Being that things can't open themselves it should be fine. I really hate IE's popups when trying to use something like Source Forge they slow me down and when I forget to click them, I spend time wondering where my file went, only to discover my time waiting for the download to finish was useless because it didn't download.
Reply
Ed said 2:48AM on 5-30-2008
Bit old eh? 2 weeks ago: http://www.theregister.co.uk/2008/05/15/apple_safari_carpet_bombing_vuln/
Reply
Darren said 3:52AM on 5-30-2008
The author's characterization of this as "arbitrary desktop write access" is pure nonsense.
One of the reasons I prefer Safari is for the way it handles downloads. And I, like most people, configure Firefox to automatically download known files (like .zip files) as well. Therefore, an option to prompt before download simply doesn't solve anything.
Stealth download is a problem that is been around as long as web browsers have been around. It cannot be handled at the browser level, which is why Microsoft and Apple now handle it at the OS level.
There are endless ways a web site can be annoying to the point that you must quit your browser. "Carpet Bombing" is just another of those annoyances, and it affects *all* browsers. What's more annoying: a download folder full of files, or an endless parade of download confirmation prompts that would require you to force-quit your browser?
Reply
Hrmm said 6:55AM on 5-30-2008
If you go to execute one of these files it still pops up that standard warning "This file came from a website. Are you really sure you want to run this FREE PR0N HOTTIE HOTTIE YOUNG TEEN FARM SEX viewer, you dumbass." (paraphrased ;) ) along with the link to the website, right? If so I'd still class that as nuisance, the worst it is is a waste of my bandwidth and HD space [till I get around to my periodic cleaning of the Download folder].
Reply
basscadet said 9:20AM on 5-30-2008
so, suppose you end up with an icon that says My C0mputer on an XP machine and then, wanting to access that area you click on it without much thinking: My C0mputer.exe is executed and does whatever it wants. That wouldn't be a minor annoyance.
Reply
alansky said 12:59PM on 5-30-2008
"Even if the program does NOT require administrative rights, it can do a LOT of damage (like deleting all the files, photos and music in your home folder!)." --RobK
What are you smoking, dude? What you have just said is sheer nonsense. Programs can do nothing unless the user (after being dumb enough to visit a malicious website to begin with) actually LAUNCHES an offending program. There is no such thing as a program that downloads itself, then launches itself, on a Mac. Not to mention the fact that, if you are using Safari, it warns you when you attempt to launch ANY program that was originally downloaded from the internet. There is no foolproof protection against terminal stupidity.
Reply
RobK said 3:06PM on 5-30-2008
Of course the user must click on the application to take advantage of this particular exploit. But many users are frankly stupid.
The worst exploits download code and automatically run them. They do exist. Look at the Safari exploit that was used to take over a MacBook Air running Leopard during a $10,000 pwn-to-own contest. (see http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9078399&source=rss_news10 )
All the user had to do it click a link in an EMAIL which took safari to a website containing the code. The code was run AUTOMATICALLY and the Mac was taken over. The user only had to click a link in an email or visit this malicious website. Nothing more.
Get your head out of dreamland. Macs are no different than Windows PC's or Linux boxes. If there is an exploit that can allows automatic "arbitary code execution", you could be in trouble.
The real solution is a change in user behaviour. Do NOT click on links in EMAIL especially from those you do not know. etc.
alansky said 1:05PM on 5-30-2008
P.S. Even my 91-year-old client (who frequently clicks links he shouldn't be clicking) has the good sense to call me when he sees a new icon he doesn't recognize on his Desktop. It's not that it's impossible for a malicious program to do damage on a Mac; it's that, before this can happen, the user has to make a series of really stupid mistakes that no one with half (or even a quarter) of a brain would make.
Reply
alansky said 4:18PM on 5-30-2008
In the end, all I can say is that, after more than 20 years of using a Mac every single day, I have never seen a single Mac exploit of any kind--not one. Nor have any of the hundreds of other Mac users I have helped in all these years. I can't be the only one! I realize that Windows users find it comforting to tell themselves that Macs are just as vulnerable as PC's, but it simply isn't true.
Reply
RobK said 7:17PM on 5-30-2008
Well, the main reason why you have not seen many exploits on the Mac relates to profit. Most exploits these days are being used to make $$. It is not worth it for malware developers to make $$ off exploits in the Mac. Since there are so many more Windows PC's, it makes more sense to target that machine and develop malware for Windows PC's. But since the market share for the Mac has gone way up in recent months that may change.
The main vector for an exploit are vulnerabilities in web browsers and multimedia players (eg Flash, Realplayer, quicktime). Most browsers (including Firefox and Safari) are configured to download and RUN code automatically (e.g. javascript) and plugins automatically (eg Flash which then downloads and runs Flash content which could be malicious) without any user intervention. If there is a vulnerability in the browser (and there has been even on the Mac), one can "pwn" or take over your computer if you just visit a web site. (e.g. The early jailbreak software used a flaw in Safari on the iPhone to run jailbreak software. You just had to visit the jailbreakme website with your iPhone to jailbreak your phone!)
An awful thought but that is the truth. When MS, Apple and Linux devs are informed of these exploits, they get patched. My big complaint is Apple is one of the slowest to patch exploits.
bobwill said 5:38PM on 5-30-2008
Wasn't this part of a two part problem from a little while ago?
The second part had to do with the fact that safari does not notify the user when a hyperlink executes local code.
So, the user could then click on a link that executes the code that was just downloaded.
I would assume that mac users would get the downloaded application dialog; however, would windows users get something similar?
Reply
RobK said 7:24PM on 5-30-2008
Most browsers execute code when you visit a website without any user interaction. e.g. Most browsers (like Safari and Firefox) are configured to execute Javascript automatically. If there is a flaw, you could be "pwned".
And yes, normally when you download a file using Windows or the Mac you are presented with a download dialog box. But whether you see it when you visit a malicious website depends on the exploit being used by the website. If your are vulnerable to an exploit that allows the website to download files behind your back and the website is using that exploit, well you won't see a download dialog box!
Tice said 3:59AM on 5-31-2008
It just doesn't work - at least the way they discribe it. If you have multiple cgi's in iframes safari just show the text access not available... so cgi's don't download automatically. But Safari loads like every other browser specific files like .dmg's or .zip's (or server side pushed downloads) - so what's the big deal? That works with firefox and all other browsers too. Don't get it.
Reply
mematron said 2:17PM on 5-31-2008
Average Mac users are not dumb enough to give admin access to apps they don't know WTF they do.
Our operating system is deceptively simple. That by no means connotes that it engenders an OS that is prosaic in its
security design.
Lets not forget that this is unix we are talking about. What ever Apple has do to make it look prettier it's still friggin *nix.
Windows is still Dos... Yeah, I went there. That's precisely why it still sucks.
Furthermore kiddies, your little admin account aint root. You get that? All you morons, including the author apparently don't now enough about Mac security to take into account that root has to be enabled. You can't do it with your "user name and password"
Guess what humans? The admin account is not system- root is. Admins, can't hose the system completely. Admin is not the god account.
So, knowing this especially if one does not know the system that well; why on Earth would one just go ahead and let an unknown do what it wants.
You see, old school Mac users aren't falling for it. We never did. New Mac users coming from Winblows really aren't going for it because of the bad taste micro$atan left in them. Linux users coming on board are just like Mac users - have brains.
Who is left? Yeah, that's why Apple is not putting this on the high priority.
Our lesson for today n00bs is stop the FUD and just admit that OSX is the superior OS. To what? To all of them.
One more thing. You might want to Google my name and read up before any of you decide to match wits with me. I'm right about all this. The discussion is over.
...end of line
Reply