Safari "Carpet Bomb" Attack Still a Risk 117
SecureThroughObscure writes "Just a short time after Apple's recent acknowledgment of and patch for the Safari Carpet Bomb 'blended' IE flaw, Microsoft researcher Billy Rios shows that Safari is still useful in a blended attack, this time with Firefox 2/3. (ZDNet's Nate McFeters also spread the word.) Rios claimed that he is able to use Carpet Bomb, despite the recent patch, to steal arbitrary files from victims who also have Firefox 2/3 installed. Both Rios and McFeters pointed out that Apple, which took some heat for not originally patching, actually did a good job of addressing the issue, as the code execution angle was not originally understood (the details came out later). Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue."
Re: (Score:3, Informative)
Assuming for a second you are not [slashdot.org], it's very telling that your reply is exactly 2 minutes after twitter's post. More importantly, what exactly is the point of your reply? "Good on you"? More likely you are simply replying to your own post to see if you can bring attention to it, which is a game you've been playing for a while [slashdot.org] now.
being blown out with malicious moderation
I don't see anything malicious about this [slashdot.org], you are being moderated negatively because you d
Re: (Score:1)
I'm sorry, I can't even understand what you're trying to say there.
If by "remote code execution", you mean running downloaded files, any OS will do that.
Re: (Score:1)
Though really, if you could remote execute code, why bother running FTP to download it? That's just redundant.
Re: (Score:2)
Yes, we are all sick of this, so stop it. (Score:1, Offtopic)
You're right, everyone is tired of this conversation. So why don't you JUST FUCKING STOP.
Seriously, it's old now. If you want to avoid being modded down for shilling yourself, why don't you stop fucking shilling yourself. Pick an account, any account. Maybe Odder, seeing as it seems to have the most karma right now. After that, stop lying and talking bollocks and you may find people start respecting you again. Until then, cut the shit and stop whining, just because people have figured out this pathetic litt
Re: (Score:2)
OHNOES THE TROLL ZOO!!!111!!!1!! Worried I'll threaten to kill you again, Twit?
You really are a complete prick.
Re: (Score:2)
Anti-Slash? That's fucking priceless. Neither you nor Slashdot are important enough for me to spend money on.
Re:News Flash: Windows is still a risk. (Score:5, Informative)
Twitter, I have a reasonable request for you: please stop the sockpuppetry and, more importantly, please stop the trolling.
You seem to take every chance you get to hijack a thread and turn it into Microsoft or Windows bashing, even when it's not the issue at hand. This doesn't help anybody. It especially doesn't help your cause of advocating Linux, and I don't know why you think it does. As a Linux user and advocate (Debian, lenny, if you must know), I wish you would stop. There are far more useful and intelligent ways to spread Linux.
You also use your sockpuppets to try to lend legitimacy to your posts. This definitely doesn't help your cause at all. This pretty much only serves to disrupt slashdot and cause people to turn against you. Everything all of your sockpuppets say could just as easily be said by a single person. The more legitimate posts could definitely be said by a single person, and you might actually get modded up once in a while.
Your habit of accusing everyone who disagrees with you an idiot or a paid troll doesn't help either. The former makes you appear to be an arrogant asshole, as it implies that your opinion is correct, period, and no other opinion is at all legitimate. The latter makes you appear paranoid. This definitely doesn't help you.
So, I have one reasonable solution for you, and I highly suggest you take it: make one more new account. Stop using the twitter account and all of the sock puppets. Never mention twitter or the sock puppets with the new account. Pretty much, ignore your entire slashdot history. Stop hijacking threads into Microsoft bashing. Stop calling Microsoft "M$". I can't really instruct you to change your writing style, so it's entirely likely that people will catch on that it's you again.
As long as you follow my advice in whole, they most likely won't call you on it. Most people here are reasonable, and they'll be happy to live and let live. Hell, if you follow my advice in full and people insist on stalking you, I will personally do my best to stop them. If that includes ruining their karma, so be it (I get 15 mod points at a rate of about once per week, so it wouldn't be particularly hard), but I'd rather not go that route.
Please, just take this advice, and we can make Slashdot a better place for everybody.
Re: (Score:2)
I have a better solution.
How about people stop replying going "This is a Twitter sockpuppet!" because
a) Nobody fucking cares
b) if all of these names are supposedly sockpuppets, replying and pointing it out FEEDS THE TROLL.
Of course, expecting this to happen is futile, so all I've done is write a special greasemonkey script. Anyone that replies and points out supposed Twitter sockpuppets have their posts disappear from my view permanently, because not even adding foes is enough to block the idiocy.
Re: (Score:2)
Re: (Score:2)
Let's assume for a moment that you are not in fact twitter, but are merely some other person with an identical writing style, identical view points, and identical paranoia and who just happens to post in the same threads as twitter sockpuppets with an alarmingly high frequency.
Hello, ibane. Please, tell me why you think Microsoft would invest money in downmodding twitter, of all people. Think what you want about Microsoft, but the one thing we can all agree that they know is marketing and PR. They know
Re: (Score:1)
Why is Microsoft like it is, greedy, criminal and focused on PR instead of product? Because it worked for them once and they are incapable of anything else.
Do you have a better reason for the attack on Peter Quinn? How about Peter Gutmann? Why does M$ hate, smear and seek the distruction of Google, Wikipedia, GNU/Linux and OLPC?
Microsoft is here and they have many accounts which they abuse. It's not easy for them but the comments section is filled with endorsments of their crap and flames for everytin
Re: (Score:2)
I'm not denying that they're focused on PR; it's rather obvious they are. but that's ignoring my question: why would they care about twitter? Twitter is a single voice on slashdot that already annoys people who are part of the Open Source movement. Slashdot, of all places. The prevailing opinions on slashdot are either pro-open-source or pro-use-whatever-tool-gets-the-job-done. It's not exactly like downmodding twitter
Re: (Score:2)
See twitter, here's the problem. You're carrying on a conversation with someone who is trying to get you to come to your senses, and the only thing you're capable of is to continue to claim Bill Gates has a personal vendetta against you, equate yourself with people who actually do contribute good things to free software, and continue to deny that you have no sockpuppets.
The premise of your argument is invalid, therefore
Re: (Score:2)
No, of course [slashdot.org] you're not [slashdot.org].
Re: (Score:1)
Discarding your paranoid fantasies of my employment by Microsoft, it's important to note that for years you were called once and again on the lies and fabrications you post to Slashdot, and all you did was insult everyone that questioned your righteousness, or simply try to ignore anything that made you uncomfortable. If anyone wants proof of this outside of Slashdot all they need to look at is this [wordpress.com]. You never did reply to Bruce Byfield there, di
Re: (Score:3, Insightful)
With how MS worded the first attack. (Which was only made usable by faults in MS software.) It would be equivalent to MS shipping a piece of software that changed all your passwords to "password" if you installed Firefox or Safari. Then releasing a statement that reads something like "Firefox and Safari put Windows at a security risk."
Re:Somehow, I know MS/IE is behind the FF flaw (Score:4, Insightful)
exactly, this is the fault of Microsoft using "secret" files do fire off IE in the background. Stuff like autoexec on CD roms might use this to start up the program when the directory becomes available. That's a STUPID action to take!!!! Microsoft's only response is RTFM (that we didn't write) and have every program that might download something check for that file name and not download it.
Safari didn't respect the file systems "secret" files and to top it off downloads them without asking first, that in itself is a mistake... but again, it's something that Apple's software will block running until a user approves... that Microsoft doesn't support! Oh the fun!
Wonder what the fun is with Firefox? By default Safari downloads to "desktop" so what special options would Firefox use if it was the default browser?
Re: (Score:1)
Re: (Score:2)
but that's exactly what's going on. The OS fires off IE whenever certain special file names are present... ever... Microsoft's products know this and "just don't do that". Safari developers can't seriously be expected to remember every single special file ... but they allow unconfirmed downloads to a very common special directory.
The response from Microsoft was simply to "not download" those type of files... that was the official response!!! Apple responded with "don't run junk by default", our developer
Re: (Score:3, Interesting)
bah, if you want bad analogies...
The first attack was more like this...
Whenever you (the user) visit some guy's house (a website), I (Safari) will automatically dump scorpions all over your face (desktop). Luckily, they're quite docile little scorpions so as long as you don't touch them (run the downloaded files), you'll be fine.
But then along comes my roommate (Internet Explorer), grabs one of the scorpions and plants it stinger smack dab on your jugular.
Clearly, then, my roommate is to blame. So, never
Re: (Score:2)
Re: (Score:1)
Is the headline a bit sensational? (Score:3, Insightful)
It implies that Safari still has major problems, while the summary clearly states that this issue (that was discovered in Safari), is now found to affect FireFox 2/3. Further, it implies a situation completely opposite of what is stated lower in the summary, that Apple did a good first pass at squashing the attack, and that it is now better understood.
I think a more accurate headline would have stated that FireFox was found to be not immune to a security problem found in IE and Safari. Unfortunately, this would imply that there is a problem with an OSS piece of software (which will quickly be fixed).
-- Len
Re:Is the headline a bit sensational? (Score:5, Informative)
Re: (Score:1)
I read the blog post as identifying a new way to exploit the original "Carpet Bomb" issue with Firefox instead of IE.
I don't read anything about a new issue in Safari 3.1.2 in Rios's post.
ZDNet are reporting it as a new Apple issue: http://blogs.zdnet.com/security/?p=1319 [zdnet.com]
but I'm not sure they're right.
Re: (Score:3, Informative)
Notice the phrase "in conjunction" - that means you need to exploit the carpet bombing bug in safari...thereby uncovering a security problem in firefox that allows you to "steal" files.
Re: (Score:3, Informative)
Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue.
From the article:
Mozilla is working on the issue and they've got a responsive team, so I'm sure we'll see a fix soon.
Telling people to RTFA doesn't really help. The Firefox issue that Mozilla is working on CAN be exploited with the now patched Safari "Carpet Bomb" bug.
But that doesn't mean you NEED to use Safari to exploit the Firefox bug. Presumably you can use any method to download a rogue file to the users desktop.
Sometimes you need to do more than RTFA. We're just trying to understand the issue.
Clearly SecureThroughObscure does not. You seem to be over-simplifying a
Re: (Score:1)
Re: (Score:1)
There was never a carpet bombing vulnerability in firefox (you would know this if you read the original article about the bug.)
I never suggested that there was a "Carpet Bombing" vulnerability in Firefox - I don't know where you got that idea from.
I read the article before I made my first post - your RTFA jibes don't help - I've also read follow up articles.
Rios now claims in a later blog post that he has found three alternative methods to exploit Windows using Safari 3.1.2 and Firefox in conjunction.
However, he admits that the "Carpet Bombing" has been removed from Safari and gives no indications of how the new exploits a
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
It implies that Safari still has major problems, while the summary clearly states that this issue (that was discovered in Safari), is now found to affect FireFox 2/3.
The way I read it is that the Safari bug has been fixed to his satisfaction, but that users who haven't patched it and who use Firefox are at an even greater risk due to a new interaction he discovered that means if the attack works and you have Firefox, it can also steal arbitrary files from your computer. Further, it implies that if an attacker has another way to get random files onto your desktop or wherever, he can probably use Firefox to steal files.
I think a more accurate headline would have stated that FireFox was found to be not immune to a security problem found in IE and Safari.
I disagree. I think this is a separate flaw in F
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:1, Insightful)
Alas, nothing could be further from the truth. Ask yourself these questions:
Obviously, the security flaw is in Windows.
Re: (Score:2)
Since there is no way in hell that anyone could consider the above to be a troll, and the most it ever got was a +1 interesting which someone else modded with an overrated, I am now 100% convinced that there are paid M$ shills here on Slashdot.
Re: (Score:3, Interesting)
I still fail to understand why downloading files to the desktop is a major security problem...
That's quite funny that Microsoft urged Apple to fix this, whereas the actual failure was in IE7.
It's not the job of Apple or Firefox (we don't know about this bug anyway) to fix everyone else (Microsoft) security problems.
Re: (Score:1, Insightful)
If you want unrelated (possibly malware crap) files scattered all over your desktop because you surf the web you are free not to patch.
I can't really see why you think thats such a good idea though.
posting exploits of vulnerabilities (Score:3, Interesting)
Re:posting exploits of vulnerabilities (Score:5, Insightful)
Re:posting exploits of vulnerabilities (Score:5, Interesting)
Well, there is two sides to that coin...
A "1337" user, may want full disclosure, so that he can patch his software immediately, and maybe other people who run the same software (White Hat)
Another 1337 user, may patch his own software, and then begin to propagate a script to take advantage of unpatched software (Black Hat) which, could be for a sort of Grey Hat intention, "see? fix it!" or simply for malicious intent.
The problem with Full Disclosure, is that you can't inform everyone, or update everything instantly, so it only helps those in the know (which isn't many), so partial/non-disclosure is generally better (in consumer products), but Full Disclosure would be appropriate for a closed network, non-consumer software.
Somewhat redundant, but had to comment.
Re: (Score:2, Interesting)
Maybe I'm missing something? (Score:3, Interesting)
It wouldn't be the first time I got the wrong end of the stick, but Rios blog seems to suggest that he has discovered a way to use the original "Carpet Bomb" issue with Firefox to steal user data.
He states that Apple have fixed their part, but seems to be saying that he won't reveal the Firefox issue because...
So what are Apple supposed to be patching or responding to?
Anyone else read the article (that way)?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:Maybe I'm missing something? (Score:4, Informative)
Yup, so if you can get a file onto the desktop, you can steal data from people with Firefox installed... in some unspecified way. At least that is how I read it.
I don't see that Apple is supposed to be responding to anything at this point. I don't think his blog implied that they were.
Re: (Score:1)
I don't think you are missing anything. (Score:3, Insightful)
He says that the attack he has found can be made without the carpet bomb...
Just as the attack on IE can.
Apple fixing the download-without-prompt attack won't do anything to fix the underlying problem, that just having a file sitting around in the default download directory on Windows can lead to code execution.
I suspect that the Firefox problem is similar.
The WoW Troll is relevant, problem btwn kb & c (Score:3, Insightful)
The "carpet bombing" attack as i've heard it described is not a software flaw at all.
so they build a site that initiates a large quantity of downloads to your computer.. so what.
it's nothing more than being an a-hole web designer.
the fact it ends up on your desktop is because the user didn't change the windows default settings, and anything that happens from that point on regarding "accidental execution" of one of these littered files is the user's fault.
Why do we need a software nanny state. It's really disgusting that because of stupid people I have to go through 3 separate nags in osX in order to perform mundane tasks.
I'm sorry but user stupidity is not a valid excuse to make every app behave like clippy! "are you sure you want to do this?" "really?" "are you absolutely sure?"
Re: (Score:2)
Who modded this guy insightful?
Who is this guy to think that the market should be catering to him instead of the millions of other people who aren't as wise with computers?
I think you are confusing stupidity with ignorance which is a big mistake. Just because someone isn't wise to all of the risks and no-nos in computers doesn't mean they are stupid. How much do you know about quantum physics or hispano-arabic literature? Because you lack knowledge in a field doesn't make you stupid.
The future of compute
Re:The WoW Troll is relevant, problem btwn kb & (Score:2)
How much do you know about quantum physics or hispano-arabic literature?
I know enough to not touch the glowing substance in the lab when I don't know what it is because it might be hot, or highly unstable.
Because you lack knowledge in a field doesn't make you stupid.
In any browser when you initiate a download voluntarily it gives you a little window telling you the name and size of the file you are saving and where it is being saved to. If any file is not one you recognize, you are an IDIOT to reach out, touch it, and set it free on your computer.
Everyone who wasn't an idiot learned not to do this when they were a toddler and reached o
Re: (Score:2)
No web browser should be able to download files to your computer without your approval.
NONE.
There is no excuse for this retarded behavior of Safari. No web browser except Safari ever allowed this.
Re:The WoW Troll is relevant, problem btwn kb & (Score:2)
When I click on a hyperlink, I want what its linked to to come down..
what do you want me to do, plead with curse to give me my addons?!
The problem is not apple's problem, hell it's not even microsoft's.
the problem is these people are misrepresenting a hyperlink as a web page when it's really a direct download link.
This does not mean I should be nagged because people are too dumb to say "I didn't request this file so i wont open it"
Re:The WoW Troll is relevant, problem btwn kb & (Score:2)
There is no clicking involved here - it is a web page that can just spontaneously execute Javascript to initiate a file download, which just spontaneously appears on your desktop, with no user interaction AT ALL.
It is an obvious opera flaw.
Re:The WoW Troll is relevant, problem btwn kb & (Score:2)
No web browser should be able to download files to your computer without your approval.
NONE.
There is no excuse for this retarded behavior of Safari. No web browser except Safari ever allowed this.
One missing piece of the puzzle? (Score:3, Insightful)
...err, what is Microsoft doing to fix their end of the problem? I mean, this (IIRC) only works if the victim has Microsoft Windows as their OS.
I mean, this isn't specifically to slam MSFT, but the guy who discovered this works... for Microsoft. The attack vector stops cold if the user is on OSX and/or Linux, but does work in Windows.
So, umm... what's Microsoft doing about this (assuming they can), Mr. Rios?
Re: (Score:1)
Err, you do realize that all that bragging about Vista, executable controls, and sandboxing is supposed to actually mean something, right?
Re: (Score:1)
MSFT has to fix this. Windows security issue. (Score:1, Troll)
When is MSFT going to implement cross-browser flagging of downloaded executables? When is MSFT going to patch IE to stop it from loading arbitrary DLLs from the desktop?
Re: (Score:2)
Re: (Score:2, Informative)
Your summary for the article is wrong. I'd keep my head down in your position.
Microsoft have not fixed anything. Apple fixed the Safari "Carpet Bomb" issue.
The IE execution issue is still active. Rios is just pointing out that Firefox can also be used to exploit the Safari issue, if the current Safari patch is not deployed.
So just to re-cap: Apple's shitty code is fixed. Microsoft and Mozilla's shitty code needs fixing.
Posting a summary on Slashdot claiming that there is still a
Re: (Score:1)
Rios has posted further clarification... (Score:1)
http://xs-sniper.com/blog/ [xs-sniper.com]
He is saying that the "Carpet Bomb" issue IS fixed, but that he is aware of three other methods to exploit interaction between Safari and Firefox.
He is giving out no details, no work-arounds and no advice on how to protect yourself. It's all a little bit vague.
I'm starting to suspect Shenanigans.
I have a working patch! (Score:2, Flamebait)
This should be easy to patch: STOP USING WINDOWS!!
Linux is not the only alternative (Score:2)
For example you could use OSX as your desktop operating system.
Re: (Score:2)
For example you could use OSX as your desktop operating system.
Fanboism at it's best, and I'm writing this on a OS X system. Safari on OS X is the largest (after Quicktime) attack vector on OS X. Security is a systemic Safari problem, on any OS, even though this one is Windows exploit. The problem is, in OS X, one can never truly delete Safari without breaking some parts of it and third party programs that use it, though they don't break as badly as Windows does if you delete IE DLLs, this makes it not an option for avoiding Safari bugs really.
(Well, you can drag th
OS /= Browser (Score:2)
The AC I was answering was stating that not using Windows will mean "all productivity will shut down" and quote:
Besides, I use Opera on Windows, Linux and Mac OSX.
Re: (Score:2)
The AC I was answering was stating that not using Windows will mean "all productivity will shut down" and quote:
Besides, I use Opera on Windows, Linux and Mac OSX.
Am I the only one? (Score:1, Offtopic)
I'm finding this new messaging system well-nigh impossible to use.
Alan B Fabian- Apple needs something better (Score:1)