Filed under: Internet, Security
Safari 'carpet bombing' attack code in the wild
The Safari "carpet bombing" blended-threat vulnerability discovered in May could be more dangerous for Windows users with exploit code available online. Mac users are not affected by the threat.
The exploit takes advantage of the fact that the Desktop is Safari's default download location. Pair that with a flaw in Internet Explorer that allows files of a particular name to be automatically run, and you have a situation where Safari downloads a file and IE runs it.
InfoWorld notes that the source code and demo were posted on Sunday. Apple, so far, has not commented on the InfoWorld story, and has no plans to alter Safari. Since downloading to the Desktop is Safari's only involvement in the threat, there doesn't appear to be any problem to correct.
Microsoft's problem, on the other hand, has to do with automatically running files that just happened to be named something IE cares about, which Microsoft has known about since 2006. Microsoft has not commented on the story either, but their suggestion is still to avoid using Safari for Windows.
Get a WordPress.com Blog
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
Dave Wood said 11:04AM on 6-11-2008
doesn't Firefox also save to the desktop on PC's?
Reply
Brandon Martinez said 10:51AM on 6-12-2008
Yeah, it does; and you know what? It really pisses me off. Why can't they *create* a Downloads folder under My Documents? I've always had to do it manually.
zerock said 11:10AM on 6-11-2008
I thought the default folder is the Downloads folder.
Reply
Robert said 11:14AM on 6-11-2008
Will changing the download location fix the problem?
Reply
L8on said 12:50PM on 6-11-2008
yes it will
Max said 5:50PM on 6-11-2008
It won't really, it just changes where all the files get sent to. So, in effect, you get an overpopulated Downloads folder instead of a Desktop full of files.
zerock said 11:11AM on 6-11-2008
oops nevermind...this is for windows lol
Reply
Jacob B said 11:12AM on 6-11-2008
It's also the default save location for FireFox.
I'd say it's a Microsoft problem. It's IE that actually makes the file run without permission.
However I have to say, having the save location as the desktop is messy, how long til the desktop is covered with downloads. In Tiger all downloads go to a special download folder, nice and tidy. Should be the same in the windows version. A downloads folder in My Documents, along with a shortcut to it on the desktop, sorted.
Keeps the desktop tidy, and also solves Microsoft's problem for them.
Reply
brian said 2:03PM on 6-11-2008
But Firefox, by default (AFAIK, please correct me if I'm wrong) ASKS you "Do you want to save this file?" Safari just AUTOMATICALLY starts saving it to the default location. THAT is the problem. A page could have a hundred iframes with a hundred downloadable files and you'll wind up with a hundred files on your desktop.
Stevensnewest said 4:33PM on 6-11-2008
Vista has the same setup :P
Jacob B said 4:49PM on 6-11-2008
When I installed FireFox on a test machine this afternoon it didn't ask, it just started downloading it strait to the desktop.
Either way, not many people will change it from the default location.
Max Goedjen said 5:49PM on 6-11-2008
I've been playing around with the carpet bombing code, at it hits Firefox FAR worse than Safari. Safari will begin downloading them immediately, but Firefox throws up an endless stream of Confirm/Deny boxes, while downloading all the files as .part files.
dogdogdog said 11:38AM on 6-11-2008
I'm assuming the file name is one of those folder.htc or whatever files which were used to display HTML instead of the folder contents.
Surely then any folder you download files to is vulnerable on windows… Therefore its a problem with any program that doesn't ask you when you want to download anything.
Reply
SlaunchaMan said 11:16AM on 6-11-2008
Of course Microsoft's suggestion is to avoid using Safari for Windows. It's like the old joke about the guy who goes to the doctor, raises his arm, and says, "Doc, it hurts when I do this!" The doctor looks at him and replies, "Well, don't do it then!" In this case, Microsoft is telling its users to avoid the problem altogether rather than attempt a patch. It just so happens that the "problem" is caused by the interaction between their competitor's browser and their own.
Reply
required said 11:39AM on 6-11-2008
I don't think that analogy is very apt. Apple is just as much at fault for not conforming to the environment it has put itself in. In other words expecting Microsoft to bend over backwards to catch its unwelcomed visitor is a bit of stretch.
itsmeee said 11:25AM on 6-11-2008
This really isn't that big a problem. Most of the windows users I know already have a desktop covered in icons so they really won't notice the difference.
Reply
Andrew Rush said 11:52AM on 6-11-2008
uh, did you read the article? The concern isn't that safari downloads files to the desktop making a messy environment. It's the fact that IE runs those files automatically, which, is a big deal.
Shunnabunich said 4:06PM on 6-11-2008
Correction:
"This really isn't that big a problem. Most of the windows users I know already have a system constantly under attack by malware so they really won't notice the difference."
(I kid, I kid!)
clockworks said 11:30AM on 6-11-2008
Completely outrageous that it's MS's fault, yet the won't fix it and blame it on a competing browser.
Reply
SuperADAM said 11:36AM on 6-11-2008
I recommend not using windows.
Reply