Safari 'carpet bombing' attack code in the wild

Since Safari's default download location on the Mac is the user's Downloads folder, one would assume that it was Microsoft's idea for the Windows version of Safari to download to the pc desktop by default.

gee, thank god i'm using Firefox on Ubuntu.

Ahh the usual TUAW FUD - conveniently ignoring certain facts to try and score points for Apple against Microsoft.

Here's the real two problems;

1) Safari can be made to AUTOMATICALLY download files with NO USER INTERVENTION.

2) Certain files will be run automatically by Windows.

Now both of these are very very bad things. However the BIGGEST problem is #1, the bug / feature in Safari.

Why is #1 the worst offender? Because even if Windows did not run files automatically I could still save something nasty called "Critical Update.exe", or "Information From Mum.exe", or even just "Please Click here.exe" and it would undoubtedly catch a lot of unwary users.

If #1 did not exist then #2, which is definitely bad would not be so big a concern. However if #2 did not exist it's still possible to do nasty things to unwary users.

I though the actual issue is that even if you say that safari has to prompt you before downloading or ask you where to store the file, it actually starts the download immediately (to the desktop). While you are searching for the right folder, the download continues. This is done to improve the user experience.

So I assume that if its a small file it is already saved to the desktop while you're still figuring out where to save it. And then IE kicks in and executes the file...

what kind of websites are these guys visiting? i recommend laying off the warez sites if you're a n00b...

in reality Safari has a long way to go on windows. and a Vista-esque "do you REALLLY want to download this file" box wouldn't be too much to ask from Apple. windows users are so used to warning boxes, another one won't hurt. i'm sure this'll get fixed shortly.

IE on the other hand has so far to go... why do they bother? If anyone on that team actually CARES about web development, standards and all that good stuff i'd be amazed.

IE & FF don't download those files there = no problem

Safari does though, so if I was on a Windoze machine I'd simply uninstall Safari till it gets fixed.

Uh, this is as much Apple's fault as MS. Did everybody miss that the files are downloaded without the user's permission? Browsers shouldn't do that.

This is ridiculous. I had heard about the Safari flaw like a week ago and worried about Apple's reputation. Now actually reading about what the "flaw" is I'm shocked that TUAW of all blogs is even reporting it as such, instead of writing an article entitled "Microsoft Blames Gaping Windows Security Hole on Safari."

Maybe I'm still working on my first cup of coffee, but... what the heck does Safari have to do with this? The problem is obviously not the download location, it's the behavior of loading dlls into IE that happen to be anywhere on your PATH. One would think that MS would see this is a big gaping security hole.

I recommend not using windows.