Safari 'carpet bombing' attack code in the wild
The Safari "carpet bombing" blended-threat vulnerability discovered in May could be more dangerous for Windows users with exploit code available online. Mac users are not affected by the threat.
The exploit takes advantage of the fact that the Desktop is Safari's default download location. Pair that with a flaw in Internet Explorer that allows files of a particular name to be automatically run, and you have a situation where Safari downloads a file and IE runs it.
InfoWorld notes that the source code and demo were posted on Sunday. Apple, so far, has not commented on the InfoWorld story, and has no plans to alter Safari. Since downloading to the Desktop is Safari's only involvement in the threat, there doesn't appear to be any problem to correct.
Microsoft's problem, on the other hand, has to do with automatically running files that just happened to be named something IE cares about, which Microsoft has known about since 2006. Microsoft has not commented on the story either, but their suggestion is still to avoid using Safari for Windows.
Share
The Safari "carpet bombing" blended-threat vulnerability discovered in May could be more dangerous for Windows users with exploit code...
Add a Comment
Since Safari's default download location on the Mac is the user's Downloads folder, one would assume that it was Microsoft's idea for the Windows version of Safari to download to the pc desktop by default.
June 11 2008 at 4:35 PM Report abuse Permalink rate up rate down Replygee, thank god i'm using Firefox on Ubuntu.
June 11 2008 at 4:30 PM Report abuse Permalink rate up rate down ReplyAhh the usual TUAW FUD - conveniently ignoring certain facts to try and score points for Apple against Microsoft.
Here's the real two problems;
1) Safari can be made to AUTOMATICALLY download files with NO USER INTERVENTION.
2) Certain files will be run automatically by Windows.
Now both of these are very very bad things. However the BIGGEST problem is #1, the bug / feature in Safari.
Why is #1 the worst offender? Because even if Windows did not run files automatically I could still save something nasty called "Critical Update.exe", or "Information From Mum.exe", or even just "Please Click here.exe" and it would undoubtedly catch a lot of unwary users.
If #1 did not exist then #2, which is definitely bad would not be so big a concern. However if #2 did not exist it's still possible to do nasty things to unwary users.
Well that is all well and good. But.....
1) As a user I don't always want to confirm that I want to do something.
2) Having a required pop up to confirm your action over time causes users to click on the confirmation dialog box automatically. People will train themselves to quick dismiss the dialog box.
EX: User installs software, Software installer pop up the End User License Agreement (EULA), User clicks on agree without ever reading the EULA.
EX: User clicks on a link to intensionally download file. Browser pops up a confirmation dialog box, User clicks yes without reading the dialog box. Over time when ever user sees this dialog box they click yes.
I though the actual issue is that even if you say that safari has to prompt you before downloading or ask you where to store the file, it actually starts the download immediately (to the desktop). While you are searching for the right folder, the download continues. This is done to improve the user experience.
So I assume that if its a small file it is already saved to the desktop while you're still figuring out where to save it. And then IE kicks in and executes the file...
what kind of websites are these guys visiting? i recommend laying off the warez sites if you're a n00b...
in reality Safari has a long way to go on windows. and a Vista-esque "do you REALLLY want to download this file" box wouldn't be too much to ask from Apple. windows users are so used to warning boxes, another one won't hurt. i'm sure this'll get fixed shortly.
IE on the other hand has so far to go... why do they bother? If anyone on that team actually CARES about web development, standards and all that good stuff i'd be amazed.
IE & FF don't download those files there = no problem
Safari does though, so if I was on a Windoze machine I'd simply uninstall Safari till it gets fixed.
Uh, this is as much Apple's fault as MS. Did everybody miss that the files are downloaded without the user's permission? Browsers shouldn't do that.
This is ridiculous. I had heard about the Safari flaw like a week ago and worried about Apple's reputation. Now actually reading about what the "flaw" is I'm shocked that TUAW of all blogs is even reporting it as such, instead of writing an article entitled "Microsoft Blames Gaping Windows Security Hole on Safari."
June 11 2008 at 12:05 PM Report abuse Permalink rate up rate down ReplyMaybe I'm still working on my first cup of coffee, but... what the heck does Safari have to do with this? The problem is obviously not the download location, it's the behavior of loading dlls into IE that happen to be anywhere on your PATH. One would think that MS would see this is a big gaping security hole.
June 11 2008 at 11:47 AM Report abuse Permalink rate up rate down ReplyI recommend not using windows.
June 11 2008 at 11:36 AM Report abuse Permalink rate up rate down ReplyHot Apps on TUAW
Deals of the Day
more deals- JVC Motion Sensing Clock Radio with Dual iPod Docks for $55 + free shipping
- Apple iPhone Headset with Mic for $4 + $2 s&h
- miFrame Picture Frame Dock for iPad for $64 + $8 s&h
- Refurb Apple iPod nano 8GB MP3 Player for $99 + free shipping, 16GB for $119
- Hannspree Apple-Shaped 28" 1080p LCD HDTV for $270 + free shipping
- Philips wOOx Alarm Clock Radio for Apple iPod / iPhone for $60 + free shipping
Software Updates
more updates- EFI Firmware Update brings Lion Internet Recovery to 2010-model Macs
- OS X Lion 10.7.3 released with Safari 5.1.3, Wi-Fi bug fix
- Aperture updated to 3.2.2, addresses Photo Stream issue
- Apple updates Keynote to address Lion issues
- Google Search app gets new look on iPad
- Apple releases Apple TV Software Update 4.4.3



30 Comments