Microsoft Urges Windows Users To Shun Safari

← Back to Stories (view on slashdot.org)

Microsoft Urges Windows Users To Shun Safari

Posted by CowboyNeal on Saturday May 31, 2008 @12:58AM from the big-surprise-there dept.

benjymouse writes "The Register has picked up on a recent Microsoft security bulletin which urges Windows users to 'restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.' This controversy comes after Apple has officially refused to promise to do anything about the carpet bombing vulnerability in the Safari browser. Essentially, Apple does not see unsolicited downloads of hundreds or even thousands of executable files to users' desktops as being a security problem." Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you.

28 of 502 comments (clear)

Min score:

Reason:

Sort:

Accidentents. by Vectronic · 2008-05-31 01:01 · Score: 4, Insightful

"Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you."

With hundreds of files on your desktop, what are the odds you'd hit one when you are just blanking out a selection, or deleting them, or frustratingly smack your mouse for [whatever reason]
1. Re:Accidentents. by dfm3 · 2008-05-31 02:09 · Score: 5, Insightful
  
  With hundreds of files on your desktop, what are the odds you'd hit one when you are just blanking out a selection, or deleting them, or frustratingly smack your mouse for [whatever reason] Or, even worse, on purpose.
  
  First, imagine how many people would just blindly click on a new desktop icon just to "see what it does".
  
  Second scenario, most Windows users I know keep file extensions off by default, and keep dozens of shortcuts to executables on their desktop among various folders, downloaded files, and other clutter. Now what if the downloaded file were named "safari.cgi" or "iTunes.cgi", but all the user sees is Safari with a generic file icon. I know many people who would think, "hmm, the icon to my internets is messed up" and click it anyway.
2. Re:Accidentents. by kitgerrits · 2008-05-31 02:17 · Score: 4, Insightful
  
  As a Linux user, I have to point out one thing in Microsoft's defense:
  Lately, it seems to tag executables that have been downloaded and warns you about it when you try to run them.
  Apparently, Safari does not have this mechanism, so users might assume it's a valid local icon.
  
  I still run Firefox, though.
  
  --
  "I was in love with a beautiful blonde once, dear. She drove me to drink. It's the one thing I am indebted to her for."
3. Re:Accidentents. by Anonymous Coward · 2008-05-31 03:09 · Score: 4, Insightful
  
  Wrong. Anytime a browser can be made to download a file without the user agreeing to it it's a problem with the browser. Nice try though.
4. Re:Accidentents. by recoiledsnake · 2008-05-31 04:47 · Score: 3, Insightful
  
  Safari on Mac OS X doesn't need it - it's built into the Finder itself, so you get the warning regardless of what you used to download the app. I think I have to agree with Apple on this. Flooding your download directory with crap is annoying as hell, and downloads should certainly be made optional for that reason. But it's not a security problem - the security problem is that Windows Explorer doesn't warn the user before running an unknown .exe. MSDN contains clear instructions on how to mark a executable as unsafe. It's not Windows Explorer's fault that Apple chose to ignore it. Whatever you try to spin it as, the security problem is that Safari allows crapflooding of user folders without user intervention aside from just visiting a webpage. Otherwise Firefox/Opera would have this 'problem' too, not just Safari.
  
  --
  This space for rent.
5. Re:Accidentents. by recoiledsnake · 2008-05-31 04:52 · Score: 4, Insightful
  
  On OS X Leopard, any executable .app that is downloaded from the Internet requires your explicit permission in order to execute. So it does in Windows(even if downloaded through Firefox). It's just that Safari doesn't mark executables as 'Downloaded from the internet'. This has nothing to do with one OS vs. the other. It's just that Apple is not following proper Windows guidelines while Mozilla etc. do.
  
  --
  This space for rent.
6. Re:Accidentents. by SvnLyrBrto · 2008-05-31 05:32 · Score: 3, Insightful
  
  Apparently, HFS+ does. Because the first time I launch an executable I downloaded from the internet, Finder warns me and gives me the option to abort or continue. It does that wether I downloaded it with Safari or Firefox. And I presume it would so the same for Omniweb or Opera or whatever.
  
  So why, exactly, would I need or want that functionality essentially duplicated in one browser or another, when I already have it in the Finder?
  
  cya,
  john
  
  --
  Imagine all the people...
7. Re:Accidentents. by menace3society · 2008-05-31 06:08 · Score: 3, Insightful
  
  I disagree, having to click in the goddamn "What do you want to do with this file?" dialog every damn time is one of the reasons I hate Windows.
  
  On my Mac, I can option-click any link and it will download the target to my chosen downloads folder; there is also contextual (right-click) menu that gives the option "Download link to Downloads folder" when you click a link so you don't have to be disturbed by those annoying dialogs boxes.
  
  The real issues are 1) there is no way to stop all javascript with a keystroke in case of bombing (I would like to see this on a Mac too, actually) and 2) Windows can run files downloaded directly from the internet.
  
  With Unix, that doesn't happen, because downloaded files (ought to) have their mode masked to zero the execute bit. Executables can be transferred inside tar or dmg files, but then there's an added step that must be gone through to run it.
  
  And fixing issue 2) should include .hta's, .bat's, etc etc etc in addition to .exe's.
8. Re:Accidentents. by 93+Escort+Wagon · 2008-05-31 06:40 · Score: 4, Insightful
  
  So it does in Windows(even if downloaded through Firefox). It's just that Safari doesn't mark executables as 'Downloaded from the internet'. This has nothing to do with one OS vs. the other. It's just that Apple is not following proper Windows guidelines while Mozilla etc. do. As a Mac user, I get fed up whenever a company (usually Adobe) doesn't follow "proper procedure" - such as using their own proprietary installer that won't work correctly out of a non-admin account, or software that won't work at all unless you're an admin. It's not just annoying; it's a strike against security.
  
  So if this is realy true - if Microsoft has indicated files should be flagged thus, and provides an API that allows software to do that - then shame on Apple. They want their guidelines followed on their OS; so they should do the same for their Windows software.
  
  Basically it's the Golden Rule.
  
  --
  #DeleteChrome
9. Re:Accidentents. by ultranova · 2008-05-31 08:51 · Score: 3, Insightful
  
  It's stupid for Explorer not be handling this instead of the browser (or at least not in addition to the browser). What if files get on by some other means, like a backdoor in a service (and it's not like that has not been seen before!!).
  
  How the heck is Explorer supposed to know the origin of the data in a file some other program wrote ?
  
  --
  Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Re:Wow. Just wow. by NewbieProgrammerMan · 2008-05-31 01:08 · Score: 5, Insightful

Apple just needs to turn the tables and tell people to shun IE and use Firefox/Opera/what have you, is all. Or, maybe, you know, fix their security holes.

--
[b.belong('us') for b in bases if b.owner() == 'you']
1, 2, 3 ... SHUN! by Anonymous Coward · 2008-05-31 01:18 · Score: 5, Insightful
Wow. Have to admit I'm on Microsoft's side here. Let's see:
1. automatically download browser as an update whether user likes it or not;
2. have the audacity to set the browser as default, again whether the user likes it or not;
3. introduce vulnerability;
4. ...
5. errr, no.
It's not just the vulnerability that hurts, but the compund bullshit caused by Apple's -- rather arrogant -- actions. This reads like something Microsoft would do!

Also, vulnerabilities in Apple software (and this bug affects both Windows and Mac), make all *nix stuff look bad: watch MS shills roll out the 'Microsoft software is only vulnerable because hackers target it' FUD in short order.

Posting as AC due to Apple fanboy-mods. Modding this down doesn't stop it being the truth.
Re:Wow. Just wow. by ozmanjusri · 2008-05-31 01:19 · Score: 3, Insightful

Or, maybe, you know, fix their security holes.
If Apple won't fix it, why doesn't someone fork the project and produce a version that doesn't have the vulnerability?

--
"I've got more toys than Teruhisa Kitahara."
Re:Wow. Just wow. by erikina · 2008-05-31 01:33 · Score: 5, Insightful

Because they don't give you permission to? And even they did, no one would bother without the source.
I think that anyone who gives a shit, has moved away from proprietary web browsers. (And yes, I'm aware their rendering engine is under GPL as it's based on KHTML or w/e)
Re:doesn't work? by Dogtanian · 2008-05-31 01:34 · Score: 3, Insightful

That's all this is about? Safari downloads some things instead of displaying them? Is that even a security bug? If my browser doesn't know how to display it, I think I'd rather it didn't try. Trying seems like it might be even more dangerous. Am I wrong? I'll give you the benefit of the doubt and assume that you posted this in good faith. However, what you're essentially saying ("it's not perfect, but I'd rather it was done the way it's done now") implies a false dichotomy.

What's stopping the browser from saying "I can't handle this file/etc, but please click here if you wish to save it to your desktop"? In the majority of situations, most people wouldn't bother downloading it anyway.

--
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
Re:Quality of links by esme · 2008-05-31 01:35 · Score: 4, Insightful

some guy's blog

That guy appears to be the one who discovered the vulnerabilities and reported them to Apple.

Do you really think Slashdot shouldn't link to primary sources?

-Esme
Microsoft by kardelen133 · 2008-05-31 01:36 · Score: 4, Insightful

Hi all I'm in the uncomfortable position of agreeing with Microsoft on this issue. If a browser (any browser) allows a website to randomly download files without the user's explicit permission, regardless of the location, it is a security issue in my opinion. Having said that, I take issue with Microsoft's security advisory. The only thing they say is: "What causes this threat? A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a userâ(TM)s machine without prompting, allowing them to be executed." OK, but how about telling us the how or why? Since it is a direct contributor which causes the blended threat, I don't think it's asking too much to want to know exactly "how the Windows desktop handles executables" and how that contributes to the threat. http://www.evden-eve-nakliyat.name.tr/
Re:Wow. Just wow. by JanneM · 2008-05-31 01:41 · Score: 5, Insightful

Or, maybe, you know, fix their security holes. It's Apple. By definition anything they make is perfect in any conceivable way. If Safari allows forced downloads of thousands of executables, then it is because all web clients really should, and Apple is the only company with the vision, the foresight, and the polo sweaters to implement it. Just ask any Apple fanboy in your neighbourhood; he'll tell you.

--
Trust the Computer. The Computer is your friend.
So if it does this on OS X... by Animaether · 2008-05-31 01:42 · Score: 3, Insightful

Supposedly it does this on OS X as well, but the a comment above says it's not doing it, but that as an aside..

If it -does- do this on OS X, then it is called a convenience?

What is the convenience in having a folder automatically stuffed with files, downloaded without your say-so, exactly? Regardless of whether they can then be arbitrarily executed by a second program, or whether the user can execute them without a warning dialog popping up or not, etc. What, in your opinion, is convenient about it?

I find alt+click in Firefox convenient to download a file that I want without clicking on it and then going through the download dialog. I find it even more convenient that Firefox -asks- me if I want to download a given file if some crazy redirect page pointed me to one; gives me the opportunity to say "Hell no!" before the file even ends up on my drive.
But our opinions on convenience may differ.
Re:Wow. Just wow. by erikina · 2008-05-31 01:45 · Score: 3, Insightful

Not mine. http://en.wikipedia.org/wiki/Proprietary_software Safari certainly seems to fit it.
hundreds of executables by johnrpenner · 2008-05-31 01:53 · Score: 3, Insightful

One hundred rounds does not constitute firepower.
One hit contitutes firepower. (Gen. Merritt Edson, USMC)
Re:Such as...? by gmuslera · 2008-05-31 02:24 · Score: 3, Insightful

Since internet explorer creation were a long, dangerous, ridiculous and at times even funny list of code execution vulnerabilities in internet explorer. How many times Microsoft ordered users to shun Internet Explorer (our Outlook, or IIS or MSSQL, to put an small example) because had such kind of vulnerability being actually exploited?

How many times passed long time before Microsoft acknowledged that were a problem, and then even more time to fix it?

And, maybe more important... what are the odds of Microsoft doing exactly that recommendation for IE if Internet Explorer or another of their major products is found tomorrow to have a similar or worse security problem?

Of course, not discussing here if people should stop using Safari till that vulnerability is fixed, or at least, being very aware of what could happen and how to deal with it.
Re:doesn't work? by LuxFX · 2008-05-31 02:40 · Score: 4, Insightful

Not a security bug? The downloaded files go directly to the desktop.

So, what if a site triggers an automatic download of a file called "My Computer.exe" to an XP computer, using the typical My Computer icon. Will a casual user be able to tell the difference? One click will take them to My Computer, another might install a spam zombie. Now think of a user with 500 extra My Computer icons. Which do they choose?

--
Punctanym: alternate spelling of words using punctuation or numerals in place of some or all of its letters; see 'leet'
Re:Wow. Just wow. by dotancohen · 2008-05-31 04:00 · Score: 3, Insightful

If Apple won't fix it, why doesn't someone fork the project and produce a version that doesn't have the vulnerability? For the same reason that nobody's forked Windows. It is not open source.

--
It is dangerous to be right when the government is wrong.
Re:pot/kettle by recoiledsnake · 2008-05-31 04:04 · Score: 3, Insightful

One other thing that hit me immediately... MS: "Omigod they found a BUG in our competitor's web browser! Because we're very concerned for our users' security, we urge you to stop using that browser immediately! Users should NEVER use a buggy web browser! (unless it's explorer)" Safari has been sneaked into millions of computers by Apple disguised as a iTunes/Quicktime update. Guess who gets the blame for all the spyware and exploits that get loaded up on Windows by Safari. Hint: You see hundreds of highly moderated comments on Slashdot blaming said entity whenever there's an article about spyware/virues/malware.

--
This space for rent.
Re:What's good for the goose... by Quantumstate · 2008-05-31 04:56 · Score: 3, Insightful

Just because the code cannot be executed directly hardly means it isn't a security problem. Basically you have a file downloaded to the users desktop without the users permission. I could create an executable called My Computer.exe with the my computer icon and that will be downloaded to the desktop without user consent. How is that not a security risk?
Re:first! by tubapro12 · 2008-05-31 05:42 · Score: 5, Insightful

I've already started exploiting this!!

<?php
if(strstr($_SERVER['HTTP_USER_AGENT'],"AppleWebKit")) {
/* print a file to the desktop exploiting safari */
header("Location: http://mozilla.mirrors.tds.net/pub/mozilla.org/firefox/releases/2.0.0.14/win32/en-US/Firefox%20Setup%202.0.0.14.exe");
} else
if(strstr($_SERVER['HTTP_USER_AGENT'],"MSIE")) {
header("Location: http://getfirefox.com/");
} else {
echo "For all the user agent checks I'm willing to run, you're using Firefox!";
}
?>
Re:Fanboyism in your post is more annoying. by recoiledsnake · 2008-05-31 06:28 · Score: 3, Insightful

Sure, it's a really good sandbox... not really. If you have an exploitable plugin installed your still fucked. Most plugins run inside the sandbox. Flash apparently does not, which is surely lame. But security is all about layers. The sandbox is one more layer that the attacker has to bypass. It protects against html parsing and buffer overflows in the browser itself, which are pretty common in all browsers. Only IE on Vista has this layer protecting users at this point. Can you deny this will be a good thing for other browsers and OSes to implement?

--
This space for rent.