Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Businesses Apple

Safari "Carpet Bomb" Attack Still a Risk 117

SecureThroughObscure writes "Just a short time after Apple's recent acknowledgment of and patch for the Safari Carpet Bomb 'blended' IE flaw, Microsoft researcher Billy Rios shows that Safari is still useful in a blended attack, this time with Firefox 2/3. (ZDNet's Nate McFeters also spread the word.) Rios claimed that he is able to use Carpet Bomb, despite the recent patch, to steal arbitrary files from victims who also have Firefox 2/3 installed. Both Rios and McFeters pointed out that Apple, which took some heat for not originally patching, actually did a good job of addressing the issue, as the code execution angle was not originally understood (the details came out later). Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue."
This discussion has been archived. No new comments can be posted.

Safari "Carpet Bomb" Attack Still a Risk

Comments Filter:
  • by LenE ( 29922 ) on Saturday June 21, 2008 @05:11PM (#23889195) Homepage

    It implies that Safari still has major problems, while the summary clearly states that this issue (that was discovered in Safari), is now found to affect FireFox 2/3. Further, it implies a situation completely opposite of what is stated lower in the summary, that Apple did a good first pass at squashing the attack, and that it is now better understood.

    I think a more accurate headline would have stated that FireFox was found to be not immune to a security problem found in IE and Safari. Unfortunately, this would imply that there is a problem with an OSS piece of software (which will quickly be fixed).

    -- Len

    • Unfortunately, this would imply that there is a problem with an OSS piece of software (which will quickly be fixed).
      Which is why it wasn't reported as such on /.
      • by Lars T. ( 470328 )

        Unfortunately, this would imply that there is a problem with an OSS piece of software (which will quickly be fixed).
        Which is why it wasn't reported as such on /.
        Let me get this straight - vulnerabilities in OSS don't need to get reported to the public, because they will get fixed quickly, so nobody will be vulnerable even before they actually update to the fixed version?
    • It implies that Safari still has major problems, while the summary clearly states that this issue (that was discovered in Safari), is now found to affect FireFox 2/3.

      The way I read it is that the Safari bug has been fixed to his satisfaction, but that users who haven't patched it and who use Firefox are at an even greater risk due to a new interaction he discovered that means if the attack works and you have Firefox, it can also steal arbitrary files from your computer. Further, it implies that if an attacker has another way to get random files onto your desktop or wherever, he can probably use Firefox to steal files.

      I think a more accurate headline would have stated that FireFox was found to be not immune to a security problem found in IE and Safari.

      I disagree. I think this is a separate flaw in F

    • Re: (Score:2, Insightful)

      So, there's a couple of issues here. The first is that you can place files on the user's desktop. This IS (or at least was) Safari's problem. All it takes is crafting a file that has an icon that looks like IE or your recycle bin, or whatever else and someone double-clicks to getting owned. The second issue becomes the blended attack. So using Safari to place the file, then something else to kick the file off. This is where IE originally came in, but Microsoft patched that, then now we have FF 2/3. I
      • by Lars T. ( 470328 )
        For the nth time - Safari tags its downloads (from XP SP2 on), so if you get fooled into trying to run notIE, Windows will tell you it was downloaded from the internet - and if you'll ignore that, you'll also ignore it when Firefox asks you if you actually want to download "Firefox.exe".
    • Re: (Score:1, Insightful)

      "I think a more accurate headline would have stated that FireFox was found to be not immune to a security problem found in IE and Safari."

      Alas, nothing could be further from the truth. Ask yourself these questions:

      1. Is Safari on OS X vulnerable?
      2. Is Firefox on Linux vulnerable?
      3. Is IE running under WINE on Linux vulnerable?
      4. What is the common denominator for all of these vulnerabilities?

        Obviously, the security flaw is in Windows.
      • OK, I was wondering if twitter is a nutcase or if there really are a bunch of M$ shills running around here. This post proves, at least to me, that the latter is the case. Here is the mod history so far:
        • 40% Troll
        • 30% Interesting
        • 30% Overrated

        Since there is no way in hell that anyone could consider the above to be a troll, and the most it ever got was a +1 interesting which someone else modded with an overrated, I am now 100% convinced that there are paid M$ shills here on Slashdot.

    • Re: (Score:3, Interesting)

      by jackjeff ( 955699 )

      I still fail to understand why downloading files to the desktop is a major security problem...

      That's quite funny that Microsoft urged Apple to fix this, whereas the actual failure was in IE7.

      It's not the job of Apple or Firefox (we don't know about this bug anyway) to fix everyone else (Microsoft) security problems.

      • Re: (Score:1, Insightful)

        by Anonymous Coward

        If you want unrelated (possibly malware crap) files scattered all over your desktop because you surf the web you are free not to patch.

        I can't really see why you think thats such a good idea though.

  • by commodoresloat ( 172735 ) * on Saturday June 21, 2008 @05:14PM (#23889227)

    Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue.
    Seems sensible; I always thought this was standard practice with vulnerabilities. It helps ensure that at least the company who introduced the vulnerability has an opportunity to release a patch before the attack vectors are in the hands of every script kiddie around. It's definitely an approach the poster of this story [slashdot.org] should have considered.
    • by bunratty ( 545641 ) on Saturday June 21, 2008 @05:28PM (#23889351)
      It's called responsible disclosure. You'd be surprised at the number of people around here that advocate full disclosure, that is, telling the whole world all the details of a security problem as soon as you find it. The ones who advocate it keep saying it somehow allows users to protect themselves. On the other hand, it seems like everyone who practices full disclosure has a l33t hacker name and is looking for attention, and not at all concerned with anyone's security.
      • by Vectronic ( 1221470 ) on Saturday June 21, 2008 @05:43PM (#23889445)

        Well, there is two sides to that coin...

        A "1337" user, may want full disclosure, so that he can patch his software immediately, and maybe other people who run the same software (White Hat)

        Another 1337 user, may patch his own software, and then begin to propagate a script to take advantage of unpatched software (Black Hat) which, could be for a sort of Grey Hat intention, "see? fix it!" or simply for malicious intent.

        The problem with Full Disclosure, is that you can't inform everyone, or update everything instantly, so it only helps those in the know (which isn't many), so partial/non-disclosure is generally better (in consumer products), but Full Disclosure would be appropriate for a closed network, non-consumer software.

        Somewhat redundant, but had to comment.

        • Re: (Score:2, Interesting)

          It's not just that though. You make great points that an advanced user can likely find a work around for some issues and SHOULD have the right to fix an issue if possible (thus requiring full disclosure). The other thing to consider here, a lot of vendors are in the freaking prehistoric period when it comes to addressing issues. Originally, Apple decided NOT to fix this issue, because you could only put executable content on a user's desktop. I mean, by itself, that's still a big issue. When vendors ta
  • by IrrepressibleMonkey ( 1045046 ) on Saturday June 21, 2008 @06:19PM (#23889675)

    Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue.


    It wouldn't be the first time I got the wrong end of the stick, but Rios blog seems to suggest that he has discovered a way to use the original "Carpet Bomb" issue with Firefox to steal user data.

    He states that Apple have fixed their part, but seems to be saying that he won't reveal the Firefox issue because...

    Mozilla is working on the issue and they've got a responsive team, so I'm sure we'll see a fix soon.

    So what are Apple supposed to be patching or responding to?

    Anyone else read the article (that way)?
    • by rob1980 ( 941751 )
      I'm a little confused too, but my understanding coming away from reading the article is that Safari is still required to execute the exploit and that if a user had Firefox but not Safari on their computer, they would not be vulnerable at all.
      • by Lars T. ( 470328 )

        I'm a little confused too, but my understanding coming away from reading the article is that Safari is still required to execute the exploit and that if a user had Firefox but not Safari on their computer, they would not be vulnerable at all.
        In the same way that IE is not be vulnerable to call a DLL on the Desktop, unless it is downloaded with Safari - IOW very much so?
    • by 99BottlesOfBeerInMyF ( 813746 ) on Saturday June 21, 2008 @07:40PM (#23890199)

      It wouldn't be the first time I got the wrong end of the stick, but Rios blog seems to suggest that he has discovered a way to use the original "Carpet Bomb" issue with Firefox to steal user data.

      Yup, so if you can get a file onto the desktop, you can steal data from people with Firefox installed... in some unspecified way. At least that is how I read it.

      So what are Apple supposed to be patching or responding to?

      I don't see that Apple is supposed to be responding to anything at this point. I don't think his blog implied that they were.

    • Rios may have a DIFFERENT way of placing files onto the desktop, or a DIFFERENT leverage point for the Carpet Bomb attack that becomes useful when using FF 2/3. It is hard to understand, the fact that it is a "blended" attack with two different browsers yields a lot of possibilities. Until Rios releases details, we'll have to speculate.
    • He says that the attack he has found can be made without the carpet bomb...

      Just as the attack on IE can.

      Apple fixing the download-without-prompt attack won't do anything to fix the underlying problem, that just having a file sitting around in the default download directory on Windows can lead to code execution.

      I suspect that the Firefox problem is similar.

  • by plasmacutter ( 901737 ) on Saturday June 21, 2008 @08:23PM (#23890489)

    The "carpet bombing" attack as i've heard it described is not a software flaw at all.

    so they build a site that initiates a large quantity of downloads to your computer.. so what.

    it's nothing more than being an a-hole web designer.

    the fact it ends up on your desktop is because the user didn't change the windows default settings, and anything that happens from that point on regarding "accidental execution" of one of these littered files is the user's fault.

    Why do we need a software nanny state. It's really disgusting that because of stupid people I have to go through 3 separate nags in osX in order to perform mundane tasks.

    I'm sorry but user stupidity is not a valid excuse to make every app behave like clippy! "are you sure you want to do this?" "really?" "are you absolutely sure?"

    • Who modded this guy insightful?

      Who is this guy to think that the market should be catering to him instead of the millions of other people who aren't as wise with computers?

      I think you are confusing stupidity with ignorance which is a big mistake. Just because someone isn't wise to all of the risks and no-nos in computers doesn't mean they are stupid. How much do you know about quantum physics or hispano-arabic literature? Because you lack knowledge in a field doesn't make you stupid.

      The future of compute

      • How much do you know about quantum physics or hispano-arabic literature?

        I know enough to not touch the glowing substance in the lab when I don't know what it is because it might be hot, or highly unstable.

        Because you lack knowledge in a field doesn't make you stupid.

        In any browser when you initiate a download voluntarily it gives you a little window telling you the name and size of the file you are saving and where it is being saved to. If any file is not one you recognize, you are an IDIOT to reach out, touch it, and set it free on your computer.

        Everyone who wasn't an idiot learned not to do this when they were a toddler and reached o

    • by brunes69 ( 86786 )

      No web browser should be able to download files to your computer without your approval.

      NONE.

      There is no excuse for this retarded behavior of Safari. No web browser except Safari ever allowed this.

      • When I click on a hyperlink, I want what its linked to to come down..

        what do you want me to do, plead with curse to give me my addons?!

        The problem is not apple's problem, hell it's not even microsoft's.

        the problem is these people are misrepresenting a hyperlink as a web page when it's really a direct download link.

        This does not mean I should be nagged because people are too dumb to say "I didn't request this file so i wont open it"

      • No web browser should be able to download files to your computer without your approval.

        NONE.

        There is no excuse for this retarded behavior of Safari. No web browser except Safari ever allowed this.

        Except Internet Explorer, but it's not so kind as to leave evidence of its downloading on your desktop. :-)
  • by Penguinisto ( 415985 ) on Saturday June 21, 2008 @11:23PM (#23891507) Journal

    ...err, what is Microsoft doing to fix their end of the problem? I mean, this (IIRC) only works if the victim has Microsoft Windows as their OS.


    I mean, this isn't specifically to slam MSFT, but the guy who discovered this works... for Microsoft. The attack vector stops cold if the user is on OSX and/or Linux, but does work in Windows.


    So, umm... what's Microsoft doing about this (assuming they can), Mr. Rios?

    /P

  • I am sick of seeing MSFT trying to pass the buck on a Windows security issue.

    When is MSFT going to implement cross-browser flagging of downloaded executables? When is MSFT going to patch IE to stop it from loading arbitrary DLLs from the desktop?

    • SO they did fix it. Open your fucking eyes. The blended flaw with IE is already fixed. Now theirs a blended flaw with Safari and Firefox. M$ can't fix Apple's shitty code on their OS.
      • Re: (Score:2, Informative)

        Angry much?

        Your summary for the article is wrong. I'd keep my head down in your position.

        Microsoft have not fixed anything. Apple fixed the Safari "Carpet Bomb" issue.

        The IE execution issue is still active. Rios is just pointing out that Firefox can also be used to exploit the Safari issue, if the current Safari patch is not deployed.

        So just to re-cap: Apple's shitty code is fixed. Microsoft and Mozilla's shitty code needs fixing.

        Posting a summary on Slashdot claiming that there is still a
        • Surely I am. I get tired of fighting arguments about who's OS is better. It really doesn't matter, the point is that there's a security issue. My understanding is that IE has had a patch released, but I could be wrong on that, but either way it is on the way. Apple has "fixed" the Safari Carpet Bomb issue, but Rios has said that it is still not truly fixed and that there is still ways to place files in predictable locations. This came in communication with the author of the original article.
  • Except that NOTHING is clear:

    http://xs-sniper.com/blog/ [xs-sniper.com]

    He is saying that the "Carpet Bomb" issue IS fixed, but that he is aware of three other methods to exploit interaction between Safari and Firefox.

    He is giving out no details, no work-arounds and no advice on how to protect yourself. It's all a little bit vague.

    I'm starting to suspect Shenanigans.
  • This should be easy to patch: STOP USING WINDOWS!!

  • I'm finding this new messaging system well-nigh impossible to use.

  • Safari has a lot of things wrong with it. Firefox is a much better system. -Alan B Fabian

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...