Slashdot Mirror
Microsoft Urges Windows Users To Shun Safari
benjymouse writes "The Register has picked up on a recent Microsoft security bulletin which urges Windows users to 'restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.' This controversy comes after Apple has officially refused to promise to do anything about the carpet bombing vulnerability in the Safari browser. Essentially, Apple does not see unsolicited downloads of hundreds or even thousands of executable files to users' desktops as being a security problem." Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you.
"Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you."
With hundreds of files on your desktop, what are the odds you'd hit one when you are just blanking out a selection, or deleting them, or frustratingly smack your mouse for [whatever reason]
While it's true that IE's security isn't much better, they do have a point.
Apple just needs to turn the tables and tell people to shun IE and use Firefox/Opera/what have you, is all.
[b.belong('us') for b in bases if b.owner() == 'you']
One other thing that hit me immediately... MS: "Omigod they found a BUG in our competitor's web browser! Because we're very concerned for our users' security, we urge you to stop using that browser immediately! Users should NEVER use a buggy web browser! (unless it's explorer)"
I work for the Department of Redundancy Department.
Wow. Have to admit I'm on Microsoft's side here. Let's see:
It's not just the vulnerability that hurts, but the compund bullshit caused by Apple's -- rather arrogant -- actions. This reads like something Microsoft would do!
Also, vulnerabilities in Apple software (and this bug affects both Windows and Mac), make all *nix stuff look bad: watch MS shills roll out the 'Microsoft software is only vulnerable because hackers target it' FUD in short order.
Posting as AC due to Apple fanboy-mods. Modding this down doesn't stop it being the truth.
If Apple won't fix it, why doesn't someone fork the project and produce a version that doesn't have the vulnerability?
"I've got more toys than Teruhisa Kitahara."
Nice way to spin a Safari flaw.
Because they don't give you permission to? And even they did, no one would bother without the source.
I think that anyone who gives a shit, has moved away from proprietary web browsers. (And yes, I'm aware their rendering engine is under GPL as it's based on KHTML or w/e)
Is Safari open source? I didn't think it was. If it isn't, then there is no way to fork it, is there?
What's stopping the browser from saying "I can't handle this file/etc, but please click here if you wish to save it to your desktop"? In the majority of situations, most people wouldn't bother downloading it anyway.
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
That guy appears to be the one who discovered the vulnerabilities and reported them to Apple.
Do you really think Slashdot shouldn't link to primary sources?
-Esme
Hi all I'm in the uncomfortable position of agreeing with Microsoft on this issue. If a browser (any browser) allows a website to randomly download files without the user's explicit permission, regardless of the location, it is a security issue in my opinion. Having said that, I take issue with Microsoft's security advisory. The only thing they say is: "What causes this threat? A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a userâ(TM)s machine without prompting, allowing them to be executed." OK, but how about telling us the how or why? Since it is a direct contributor which causes the blended threat, I don't think it's asking too much to want to know exactly "how the Windows desktop handles executables" and how that contributes to the threat. http://www.evden-eve-nakliyat.name.tr/
I have a load of .php files in my downloads directory because I've clicked on things in online svn browsers and it's decided it can't render them.
And how was it supposed to render them? There's nothing there that's gonna run the php script and serve the contents it provides. At best the browser would get headers that tell it "hey, this is a text file" and the browser would display it as such, but there is such a thing as headers that say "always download this no matter what you think you can do with it".Now I'm not sure whether that's the case or not, but files in svn repositories were never meant to be parsed by browsers.
Trust the Computer. The Computer is your friend.
Supposedly it does this on OS X as well, but the a comment above says it's not doing it, but that as an aside..
If it -does- do this on OS X, then it is called a convenience?
What is the convenience in having a folder automatically stuffed with files, downloaded without your say-so, exactly? Regardless of whether they can then be arbitrarily executed by a second program, or whether the user can execute them without a warning dialog popping up or not, etc. What, in your opinion, is convenient about it?
I find alt+click in Firefox convenient to download a file that I want without clicking on it and then going through the download dialog. I find it even more convenient that Firefox -asks- me if I want to download a given file if some crazy redirect page pointed me to one; gives me the opportunity to say "Hell no!" before the file even ends up on my drive.
But our opinions on convenience may differ.
Not mine. http://en.wikipedia.org/wiki/Proprietary_software Safari certainly seems to fit it.
Well, let's see:
Oh, I see. So, the auto-download feature doesn't "properly" tag them like IE7 does, so users might accidentally execute a program without being first informed it was downloaded? Gosh. Sounds less like a security vulnerability than MS blowing smoke.
But, wait:
Oh, well now it's sounding more like it'll be downloaded *and* executed automatically. Of course, if that's the case, half the "security vulnerability" is in Window's automatically executing things. If not, MS is simply lying..unless they have proof that Safari is the one causing said automatic execution.
However you spin it, Safari allowing carpet bombing is an annoying feature (much like pop-unders are an annoying feature). But it's not a security vulnerability. Labeling it as such is bullshit.
Does that mean you should use Safari regardless? Personally, I'd say no. Carpet bombing is too annoying of a feature to tolerate. But, then, I'd imagine Windows has too many annoying features for a lot of Mac users. It'd be just as asinine for Apple to issue a security advisory to shun Windows.
Eurohacker European paranoia, gun rights, and h
One hundred rounds does not constitute firepower.
One hit contitutes firepower. (Gen. Merritt Edson, USMC)
If a browser (any browser) allows a website to randomly download files without the user's explicit permission, regardless of the location, it is a security issue in my opinion.
It's a minor issue compared to a number of others that ALL browsers on Windows have. If Microsoft is serious about security then they need to:
1. Immediately transition away from ActiveX, with as short a timeframe as possible.
2. Replace ShellExecute() with something similar to UNIX's exec(). They already HAVE the code, in the POSIX subsystem.
3. Eliminate "security zones" as a security model - there must be no circumstance in which the location of an object named in a web page automatically grants it privileges.
4. Provide an alternate API for browsers to use to find and run helper applications that is not based on the desktop helper application bindings.
All four of these are far bigger problems than having files downloaded without a prompt. Not only do they all provide paths to direct execution of untrusted code without user interaction, but they have all BEEN used for that purpose hundreds of times over the past decade.
I am not sure it's possible to implement a really secure browser on Windows without completely bypassing all of Microsoft's recommended APIs.
i wish people would stop saying false dichotomy, it makes me feel uncomfortable... a false set of mutually exclusive groups? how does that even work?
This is a joke. I am joking. Joke joke joke.
Since internet explorer creation were a long, dangerous, ridiculous and at times even funny list of code execution vulnerabilities in internet explorer. How many times Microsoft ordered users to shun Internet Explorer (our Outlook, or IIS or MSSQL, to put an small example) because had such kind of vulnerability being actually exploited?
How many times passed long time before Microsoft acknowledged that were a problem, and then even more time to fix it?
And, maybe more important... what are the odds of Microsoft doing exactly that recommendation for IE if Internet Explorer or another of their major products is found tomorrow to have a similar or worse security problem?
Of course, not discussing here if people should stop using Safari till that vulnerability is fixed, or at least, being very aware of what could happen and how to deal with it.
If Apple won't fix it, why doesn't someone fork the project
Because Safari is not Open Source.
There are shills on slashdot. Apparently, I'm one of them.
That is not the problem here. The problem is that files of an unknown content type are being downloaded without the users' consent.
Browsers are downloading html, swf and image files all the time. That is not at all an issue here. The issue is that an EXE or DLL can be downloaded without the users consent. These files can in turn be launched through a secondary attack.
Not a security bug? The downloaded files go directly to the desktop.
So, what if a site triggers an automatic download of a file called "My Computer.exe" to an XP computer, using the typical My Computer icon. Will a casual user be able to tell the difference? One click will take them to My Computer, another might install a spam zombie. Now think of a user with 500 extra My Computer icons. Which do they choose?
Punctanym: alternate spelling of words using punctuation or numerals in place of some or all of its letters; see 'leet'
But Safari places them on the desktop by default. This is the key problem, and in fact a good number of security vulnerabilities woudn't be an issue if it weren't for the fact that the majority of users stick with the default settings.
And you can't make the argument that the only people downloading Safari are power users anymore - if you have an iPod, odds are that Apple Update has pushed Safari to your machine.
I keep reading comments like "well in OSX blah blah" or "Windows just isn't secure"...ok that's informative, but it's really beside the point. I'm willing to bet that Apple is not addressing this fix because it's good PR to the uninformed. If the user perceives that it's Windows' fault then they might well go all Mac since they are already using Safari...Anyhow, I think that along with the PR bit, Apple doesn't want to admit that there is a huge gaping hole in their web browser, which raises a question...is Apple ready for a bigger market share? Microsoft may have security holes, but you can almost bet they will be patched in a timely matter. With Apple, from my experiences, it takes quite a while for updates to hit the servers. I don't really see this as controversial at all, Apple needs to patch their product, Microsoft has an obligation to protect their users...I would expect Apple to do the same with IE if Microsoft out right REFUSED to patch it. I know there is a lot of Microsoft hate here on Slashdot...but this is pretty obvious in that it's Apple being the "bad guy" here.
Feel free to start listing them now. I'll let you know how many of them still work.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
Maybe they're worried because Apple is pushing Safari on hundreds of millions of unsuspecting users disguised as a iTunes and Quicktime update?
This space for rent.
It is dangerous to be right when the government is wrong.
Is it your fault if the only options are lame tools? You can't help but vote for one.
No sig for you. YOU GET NO SIG!
1) IE came out at a time when Netscape threatened to make Windows irrelevant for Internet use (Yes, there's more to the Internet than the WWW, but Netscape already had USENET, and email covered too, which MSFT countered with Outlook(and Express), though no newsreader that I can remember offhand). Safari came out at a time when Microsoft (via IE) threatened to make Macs irrelevant by dint of having no real useable browser.
2) A combination of momentum (already got it may as well keep it) and control (control the standards implementation, and you control the market, which in turn controls much, much more). Throw in a dash of the future (in which all OSes will become mere commodities) and you can see why the likes of MSFT and Apple go out of their way to make sure that their web browser is the one that people use. The funny thing is, Firefox may well threaten to obliterate both of 'em.
Overall, I think that if Firefox does indeed end up taking the majority (it looks poised to in Europe, if it hasn't already, and has a VERY strong showing in the US - on both Windows and Mac systems)? Then Windows ends up not being very relevant anymore for the majority of what people do with their computers. Macs would face a lot of the same problems. Sure, apps are still a strong factor, but most major apps have versions for both OSes.
Quo usque tandem abutere, Nimbus, patientia nostra?
"I we can agree on" makes no sense, what the hell is going on in your head?
This space for rent.
This really is rather disingenuous, while Safari on OSX will allow mass downloads the files won't litter your desktop and executables wont be launched automatically, making this problem little more than a possible annoyance. Even if by some miracle an executable was launched automatically, OSX issues a prompt the first time an untrusted application is launched.
Honestly I would have thought that UAC in Vista would do the same type of thing, preventing this from becoming a security issue.
Cleaning up from a mass download is incredibly easy. Any reasonably computer literate person should be able to remove these files easily (even if they number in the millions) with a single command from the finder, from the terminal or from automator.
Windows users should be able to clean up just as easily from the command line so seriously, what's the big issue here? Microsofts comments reek of anti-competitive bullshit.
This space for rent.
Ah. I see. Thanks for your answer.
I don't think my comment is irrelevant, but rather I wasn't sure what the issue was (which is why I asked). The fact that it doesn't display things that it doesn't know how to handle is valid. Whether it asks you to download or downloads automatically, it seems to me, should be a setting. Either way is valid, IMO, but ideally the user should be able to choose. Now, if you said it was *running* files without asking, it'd be a different issue, but downloading shouldn't be a huge deal.
But so the problem is that it's allowing pages to force automatic downloads an unlimited number of files, without asking? That does sound like it's potentially annoying problem. Still not sure it's a very critical security vulnerability, but if it's hard to cancel once it has started, then it would be annoying.
When a download starts in Safari the 'Downloads' window appears. If you want to prevent a download all you have to do is click. This would be impractical with a hundred downloads, but so would a hundred prompts. Likewise, approving downloads one at a time isnâ(TM)t ideal when you want to download a lot of files. Iâ(TM)d like to see Apple add a delay before the download starts to give users more time to respond. A cancel/prevent all button would also be fun. In the end all Apple really needs to do is change the default download location and this problem becomes a non-issue. Microsofts claims seem to center around the fact that the files end up on the desktop. All in all I think this is rather ridiculous in the light that the user is made well aware of the downloads and can easily stop them. This certainly wont stop me from using Safari or Webkit in general on Windows. On a side-note, there are a number of download managers that take over from Safaris âDownloadsâ(TM) window on OSX. Itâ(TM)s not unreasonable to think this could prevent mass downloads.
If I'm downloading stuff to my Desktop then there is no security problem. Now, uploads are a different matter. Is that what is supposed to be meant here? Me thinks "downloads" doesn't mean what they think it means.
this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
Apple is just proving how stupid they really are. At all times a software company needs to see the issue from the eyes of their customers. Going to a web site that can turn your desktop into crap without you activly allowing it would most definately be concidered a security problem by any sane user.
.bashrc or .profile or any number of old school ini files windows still activly looks for and parses?
However this clearly *is* a security problem. What if I was on linux and the file uploaded was
The possibility of an attack vector against god knows what preview/display hooks in the OS is only dwarfed by the possibility of execution by an unsuspecting user who assumes programs labled 'MS Word' appearing on his computers desktop are safe to run.
That apple would even bother posting such a rediculous response is only prooves they don't deserve to be taken seriously. The good ole days of 'apple is more secure because no one uses it' are gone forever.