Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Apple Fixes Safari "Carpet Bomb" Windows Vulnerability

Posted by kdawson on Fri Jun 20, 2008 09:15 AM
from the no-more-carpet-tax dept.
Security Businesses Apple
Titoxd writes "Apple has released a new version of Safari that fixes the carpet bomb vulnerability in Safari 3.1 for Windows. This comes in the heels of Microsoft recommending against using Safari in Windows, as well as the release of code exploiting this vulnerability."
+ -
story

Related Stories

[+] Apple: Microsoft Urges Windows Users To Shun Safari 502 comments
benjymouse writes "The Register has picked up on a recent Microsoft security bulletin which urges Windows users to 'restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.' This controversy comes after Apple has officially refused to promise to do anything about the carpet bombing vulnerability in the Safari browser. Essentially, Apple does not see unsolicited downloads of hundreds or even thousands of executable files to users' desktops as being a security problem." Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you.
[+] Apple: Safari "Carpet Bomb" Attack Code Released 118 comments
snydeq writes "A hacker has posted attack code that exploits critical flaws in the Safari and Internet Explorer Web browsers. The source code can be used to run unauthorized software on a victim's machine, and could be used by criminals in Web-based computer attacks, security experts say. The public example of the attack code allows attackers to litter a victim's desktop with executable files, an attack known as 'carpet bombing.' In combination with bugs in Windows and Internet Explorer, attackers can run unauthorized software on a victim's computer."
Firehose:Safari "carpet bomb" Windows vulnerability by Titoxd (1116095)
[+] Safari "Carpet Bomb" Attack Still a Risk 117 comments
SecureThroughObscure writes "Just a short time after Apple's recent acknowledgment of and patch for the Safari Carpet Bomb 'blended' IE flaw, Microsoft researcher Billy Rios shows that Safari is still useful in a blended attack, this time with Firefox 2/3. (ZDNet's Nate McFeters also spread the word.) Rios claimed that he is able to use Carpet Bomb, despite the recent patch, to steal arbitrary files from victims who also have Firefox 2/3 installed. Both Rios and McFeters pointed out that Apple, which took some heat for not originally patching, actually did a good job of addressing the issue, as the code execution angle was not originally understood (the details came out later). Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Apple Fixes Safari "Carpet Bomb" Windows Vulnerability 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • You mean? (Score:5, Funny)

    by Centurix (249778) <mrjolly AT optusnet DOT com DOT au> on Friday June 20 2008, @09:19AM (#23871981) Homepage

    You think the carpet bombers did this?
    Face it man, that rug really tied the room together...

  • I installed the update... (Score:4, Funny)

    by Anonymous Coward on Friday June 20 2008, @09:23AM (#23872025)

    And my computer rebooted into OS X. Not that I mind, really.

  • Did they fix the bug where Safari installs as an iTunes update? I'd say that that is a fairly severe bug right there.

    • Re:But did they fix the real bug? (Score:5, Informative)

      by tokul (682258) on Friday June 20 2008, @09:53AM (#23872479)

      Did they fix the bug where Safari installs as an iTunes update?
      New (released more than one month ago) Apple Software Update has two sections. One for updates and other for new software. When Safari was introduced, Software Update had only one section.

      • Re:But did they fix the real bug? (Score:4, Informative)

        by Briareos (21163) * on Friday June 20 2008, @10:27AM (#23872929) Homepage

        New (released more than one month ago) Apple Software Update has two sections. One for updates and other for new software.
        Last I checked the "new" software was still checked by default - and I really don't feel like installing anything that ASU comes with right now. So does anyone know if they finally fix THAT idiocy?

        np: Seabear - Sailors Blue (The Ghost That Carried Us Away)

        • Re:But did they fix the real bug? (Score:5, Insightful)

          by 99BottlesOfBeerInMyF (813746) on Friday June 20 2008, @10:58AM (#23873365)

          Last I checked the "new" software was still checked by default - and I really don't feel like installing anything that ASU comes with right now. So does anyone know if they finally fix THAT idiocy?

          Why would they need to "fix" it. It is operating as they prefer it, the same as all the software MS includes in Windows that most of us would prefer we did not have to install. Is it so difficult for you to uncheck that box if you're performing an update?

          • Re:But did they fix the real bug? (Score:5, Insightful)

            by torchdragon (816357) on Friday June 20 2008, @11:29AM (#23873813) Homepage

            Yes.

            Recently, the Java update software has begun asking for the Open Office installer to be installed on the system during an update for Java. Several users at my company have clicked straight through and added more crap to their desktop/registry/uninstall information.

            Can we blame the users for not reading every detail and not unchecking a checkbox? Yes.
            Can we also blame software vendors who are relying on the aforementioned user behavior to add their software to your computer on the sly? Yes.

            Its a bad practice and it needs to stop.

            If something is required for the operation of a software package, default to selected.
            If something is optional or not required for the operation of a software package, default to unselected.

            Why are we allowing marketing to override good engineering?

          • Re:But did they fix the real bug? (Score:5, Insightful)

            by lusiphur69 (455824) on Friday June 20 2008, @11:38AM (#23873961) Homepage

            The real question is why are you defending Apple's unethical bundling - when the same is performed by Microsoft we criticize it. Call a spade a spade or you look foolish. Face it, this kind of practice is unacceptable, whether or not it comes from your favorite company.

            Is it so difficult for you to uncheck that box if you're performing an update?
            For me, no. For millions of uneducated end users, it is. Get it?

              • Re:But did they fix the real bug? (Score:4, Insightful)

                by Anonymous Coward on Friday June 20 2008, @01:36PM (#23875735)
                No, it isn't like that. IE7 is an upgrade to something already installed and, to most end-users, in use. Safari is an entirely new piece of software. There's a difference, whether you like it or not.

  • What a stupid vulnerability (Score:3, Insightful)

    by sakdoctor (1087155) on Friday June 20 2008, @09:33AM (#23872167)

    It's pretty common that some badly configured web server will send content to me that firefox will then ask if I want to download.

    Just letting it download and then moving on to the next file is...well such an obviously stupid behaviour.

    Also, please don't let carpet bombing become the next security buzzword along with bricking and zero-day.

      • Apple's solution is to let things download, but put them in the downloads folder and flag them as untrusted content from the internet (well not flag them as trusted, since the default is untrusted). That is to say, that is their solution on OS X. On Windows, there is no download folder and for some reason they screwed up and did not flag it as untrusted in Vista (XP does not support that either). In my mind, their solution on OS X is superior, because it also helps solve the problem of executables masquerading as data.

        Actually, Windows has this as well.

        If you download a file using Internet Explorer, an NTFS file attribute is set that marks it as "downloaded - untrusted". Double click the file and you get a popup asking "DO you want to run this executable?" with a popup and showing the executable properties (signed by, etc). Problem is, it requires that you run NTFS, and if you copy the file to a network server, that network server to support extended attributes. Use Firefox or other browser, and the attribute isn't set, or copy to a fileserver that doesn't support extended attributes, and it's lost.

        (Most frustrating when you have to apply 12+ patches to a program that Microsoft Update doesn't have support for. I wrote a little bash script that shells out cmd.exe (was an MSI file) to do this, but you're still left with these popups).

        As for OS X, I believe these notifications started in Leopard. They too are extended attributes, I believe. Though I think OS X copies attributes to filesystems/servers that don't support them by using dotfiles, so copying the file around doesn't get rid of it. (It goes away after you've approved it, though. No reason why Apple couldn't figure out what flag IE sets and have Safari do same on Windows, either.

      • Re: (Score:3, Informative)

        by Shados (741919)

        Actually, Vista -does- have a specific Download folder now, for the record.

  • Hmm? (Score:5, Insightful)

    by koinu (472851) on Friday June 20 2008, @09:38AM (#23872221) Homepage


    Safari downloads files (e.g. dynamic libraries) in user directories where the Internet Explorer could autoload them on start. Isn't the bigger problem within Internet Explorer? Why did Microsoft setup a library path to a user's directory at all?

    • Microsoft's library path ALWAYS goes through the current directory. For some obscure reason that IE icon on the Desktop, the one that isn't a shortcut but is actually something special Microsoft added back in 1997 to make it harder to remove IE, runs IE on the Desktop instead of in the IE install directory, the way it would if it was a shortcut.

      It's all a side effect of Microsoft's shenanigans when they tried to use browser-desktop integration to make an end-run around their agreement with the US DoJ. That they've convinced people that the big news is a bug in Safari that makes it slightly easier to take advantage of this problem is, well, bizarre.

      And now you know the rest of the story.

      • You can't get around this by avoiding the "special" IE icon, though. You can make a real shortcut, set the working directory to whatever you want, or even launch IE from its own program directory from a command prompt, and it will still consider the desktop to be the current directory.

        As a fun experiment,

        • copy cmd.exe to the desktop and rename it to notepad.exe
        • launch IE the "safest" way you can think up
        • view page source
        YRMV, but in my tests with IE 6 and 7 in 2k and XP, it will launch the command prompt instead of notepad, and you can see the current directory and the stuff it prepends to the PATH variable.

        Until this is fixed in IE, I recommend copying notepad.exe and all your system .DLLs from the system32 directory onto each user's desktop, and use an ACL on each one to make sure your users do not have permission to overwrite them. No, seriously. (Or you could just use another browser.)

        • Re: (Score:3, Funny)

          by argent (18001)

          You can make a real shortcut, set the working directory to whatever you want, or even launch IE from its own program directory from a command prompt, and it will still consider the desktop to be the current directory.

          Whiskey Tango Foxtrot?

          Every time I think I'm being to hard on Microsoft, that I'm just being a cynical old fart, I come across something like this.

          Holy Mother of Turing, what were they thinking of?

    • Re: (Score:3, Interesting)

      by CODiNE (27417)

      This issue has been avoided in UNIX systems for decades I believe. I remember when I was first learning about the command-line that I thought it was strange you couldn't just compile a new program and type $ a.out to launch it. That's because the current directory is not in the path. You have to type $ ./a.out to get the executable seen. The reason this is a system default is to prevent someone sneaking in a malicious copy of a system command such as ls into a directory where you'd accidentally use the fake

  • Damn... (Score:3, Funny)

    by PawNtheSandman (1238854) on Friday June 20 2008, @09:48AM (#23872403)
    All I know is if someone broke in my apartment and pissed all over my rug, I'd be pretty upset.

    • The actual vulnerability is that Safari downloaded files without the user's permission. Trying to make this a Windows issue smacks of fanboyism.

      • It isn't a mutually exclusive situation. There are two disparate vulnerabilities here. By themselves they aren't that big of a threat , but when used in concert the threat is greater than the sum of it's parts. You need the IE issue to load the compromised dll and you need Safari in order to "secretly" download the compromised dll in the first place.

      • Re:Did Microsoft fix the vulnerability in IE? (Score:4, Insightful)

        by gad_zuki! (70830) on Friday June 20 2008, @01:24PM (#23875553)

        How did safari even get on most of those computers. I think people are seriously missing the big issue here.

        Imagine if Netscape won the browser wars and you installed Windows Media Player which later on, in the middle of then night, downloaded and installed IE for you. If Office 2008 did this on OSX there would be riots in the street. When Apple does it, its of course Microsoft's fault.

        Granted, there's a lot of blame to go around, but claiming this is a MS problem is being pretty unfair and only shows up that Apple can do anything, and few will complain.

      • The actual vulnerability is that Safari downloaded files without the user's permission.

        Asking for permission before doing something that may potentially lead to a security exploit is no protection at all. Seriously. In the eight years between the time Microsoft introduced the browser-desktop merge, and the time I quit being a system admin and went back to programming, I had many many cases where some user (and these weren't dumb users, these were engineers and programmers with PhDs and patents to their name) would come to me and say "Peter, I just clicked the wrong button again, and I think I have a virus". That "again" is important. That means that they have the "Windows pops up stupid dialogs all the time so I have to approve this one" reflex burned into their cortex.

        A user is not going to realize that a web page asking to download "someobscuregibberish.dll" is attacking them.

        Stupid permission dialogs are no protection.

        The actual vulnerability is twofold:

        1. The path goes through the current directory by default, and it goes through the current directory first.

        This is something that UNIX used to do, and it was widely recognized as a BAD idea by 1980. MS-DOS wasn't even out yet, let alone Windows.

        2. The default download directory is the default directory of any program, let alone a program that is run virtually every time you log in.

        This one is, well, beyond stupid. This is like having the mailslot in your front door connect to your safe deposit box. The directory that is MOST likely to contain malicious code is the one that you're MOST likely to be running code from on any given day.

        Trying to make this a Windows issue smacks of fanboyism.

        Name one other operating system or application where downloading files to the default download folder would cause them to be run, under any normal circumstances. The whole idea is completely insane.

    • Re:Amazed at the hubris in these comments (Score:4, Interesting)

      by 99BottlesOfBeerInMyF (813746) on Friday June 20 2008, @10:55AM (#23873327)

      Surely anyone with half a brain HAS TO ADMIT that the Safari vulnerability is FAR WORSE than IE setting it's current path to the windows desktop.

      Certainly not for the average Slashdot user and arguably not for anyone. Safari won't overwrite a user's existing icons, just add new ones. I also opens a download manager so users know something is being added. There are some pretty ignorant users out there, but not many that won't take not that some random Web site is downloading something called "Firefox.exe" to their desktop with an icon that looks just like their Web browser's. Finally, I notice you use the present tense. The ability to do this in Safari has been fixed, whereas the flaw with Windows has not. So, yeah I'd say the flaw in Windows is currently a FAR WORSE vulnerability, as you put it.

      The main thing here, is the Safari flaw requires user interaction to work by itself, which means you have to manage a social engineering feat and get people to do something (double click and icon). With the flaw in Windows, any download from any source that they can get on a user's desktop can be automatically run.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.