Slashdot Mirror
Microsoft Urges Windows Users To Shun Safari
benjymouse writes "The Register has picked up on a recent Microsoft security bulletin which urges Windows users to 'restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.' This controversy comes after Apple has officially refused to promise to do anything about the carpet bombing vulnerability in the Safari browser. Essentially, Apple does not see unsolicited downloads of hundreds or even thousands of executable files to users' desktops as being a security problem." Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you.
A list of actual drive-by vulnerabilities in current Internet Explorer (name-calling went out of vogue when you reached the age of 15, man. You are at least 15, right?) that allow for code execution on the client to substantiate your claim, please.*
Now if you want to point fingers, visit that Dhanjani link and read about the vulnerability he's not disclosing, as a courtesy to Apple; "The third issue I reported to Apple is a high risk vulnerability in Safari that can be used to remotely steal local files from the user's file system [...] it is a high risk issue affecting Safari on OSX and Windows". There hasn't been an update to that in the past 2 weeks, implying that it has not yet been fixed.
The Slashdot headline is pure flamebait and you took it.
You can tell Safari to put downloaded files where ever you want.
So they don't have to be on the desktop
Just to clarify your clarification. Apple forked KHTML, which was developed by the Konquerer team, and named their fork WebKit, which is also free and open source. Since then, the developers of KHTML have decided to abandon KHTML in favor of WebKit themselves and are integrating WebKit into Konquerer. So Safari and Konqueror's rendering engine is named 'WebKit' not 'KHTML'.
And what, you are trusting (Vista/Server2008 I would assume?) simply because there isnt a list of vulnerabilities that have been exploited that doesnt have an update/fix for it?
Side Note: Im typing this from XP and I have a another computer in the room next to me currently booted into Vista.
Did I say Microsoft is bad? No.
Besides, obviously a vulnerability is not going to be found if its already patched on the system being tested. Again quoting you "Please list some actual 2008 vulnerabilities that were exploited before being patched." But you are neglecting the fact that en masse there are alot of people who dont update/patch their machines every day.
Futhermore, a lot of vulnerabilities are found by third parties and Microsoft is notified by them, not necissarily by microsoft employees themselves.
And finally, because it hasnt been reported, does not mean they do not exist. Assuming something is secure without proof is far worse than assuming its not.
Found by Microsoft, currently unpatched*:
http://secunia.com/advisories/29867/
Found by non-Microsoft, currently unpatched*:
http://secunia.com/advisories/29458/
* According to them.
Im sure I could find more, but, ive fed the troll enough as it is.
When he says "recently", he means 6th August 2004; the release of Windows XP SP2.
From the linked article "Apple does not feel this is a issue they want to tackle at this time. In my most recent email to Apple, I suggested that they incorporate an option in Safari so the browser can be configured to ask the user before anything is downloaded to the local file system. Apple agreed it was a good suggestion: ...the ability to have a preference to "Ask me before downloading anything" is a good suggestion. We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.
[credit to BK have-it-your-way Rios for suggesting the term "Carpet Bomb" to describe this issue]."
No the danger lies in the fact that apple didn't code safari to mark the file as being downloaded from the internet. Any application could write executables such as an installer from a CD it would just confuse people to tell them that those files were downloaded from the internet when they weren't therefore the browser needs to mark the file to say it is downloaded from the internet but guess what the safari programmers didn't do? Hence it is all apples fault.
Wrong, Apple has been installing Safari on Windows users machine disguised as an update to iTunes/Quicktime. And iTunes has hundreds of millions of users. Even if 5% of them use Safari, it's a pretty big demographic.
This space for rent.
It's funny that you say that, because on my MacBook Pro it is the exact opposite. Safari does this and Internet Explorer does not.
Under OS X, when you click an installer image downloaded by Safari it says something like "The application 'Whatever' was downloaded from the Internet on {date}. Are you sure this is safe to open?'
I sometimes use IE on Windows (for testing sites I develop) and I've never seen a comparable message from Internet Explorer.
Maybe you are talking about IE on Vista and Safari on Windows?
I think what he is saying is that OSX has a built in download manager, regardless of browser, so the user indeed DOES have to authorize downloads. If an OSX user gets carpet bombed, it's because they said "ok" at some point. You haven't been dumbed. You should try to be less snarky if you want people to take you more seriously. And try some capital letters while you are at it ;-)