Microsoft Urges Windows Users To Shun Safari

benjymouse writes "The Register has picked up on a recent Microsoft security bulletin which urges Windows users to 'restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.' This controversy comes after Apple has officially refused to promise to do anything about the carpet bombing vulnerability in the Safari browser. Essentially, Apple does not see unsolicited downloads of hundreds or even thousands of executable files to users' desktops as being a security problem." Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you.

Wow. Just wow.

[yanyan]

The irony level in this situation is simply astounding. Secondary attack can cause execution of said downloaded binaries? What about all that malicious content that Internet Exploiter happily executes for the user with nary a warning or confirmation?

Re:Wow. Just wow.

[TheRaven64]

WebKit is LGPL, not GPL. If it were GPL'd, it would not be possible for Safari to be proprietary. You can run Safari with your own version of WebKit relatively easily (and the LGPL requires Apple to allow this), but I don't think the changes you would need to fix this are in the WebKit layer. It's been a while since I looked at the WebKit code, but I seem to recall that it would be possible by wrapping one of the delegates, but that would be a very ugly hack.

Re:Wow. Just wow.

[Hal_Porter]

The irony level in this situation is simply astounding. Secondary attack can cause execution of said downloaded binaries? What about all that malicious content that Internet Exploiter happily executes for the user with nary a warning or confirmation? Well it doesn't do that anymore, as of IE 7. At least I think it doesn't, I use Opera instead.

And even if it did, it still wouldn't make the fact that Safari does this a good thing, or the fact that Apple have refused to regard this as a security flaw.

tl;dr Tu Quoque is a logical fallacy.

doesn't work?

[v1]

ok I'm the curious type so I made a test on my server, with the provided example.

Since Safari does not know how to render content-type of blah/blah, it will automatically start downloading carpet_bomb.cgi every time it is served.

Not for me? Safari 3.0.4 running on Mac OS X 10.5.2 renders a web page of numerous blank empty boxes. Nothing was placed in any local folder. Is anyone else able to duplicate this?

Re:doesn't work?

[TheRaven64]

I didn't try this specific code, but Safari does have an irritating habit of randomly downloading things instead of displaying them. I have a load of .php files in my downloads directory because I've clicked on things in online svn browsers and it's decided it can't render them. It's not a huge vulnerability, but it is an irritation which could be easily fixed and it's frustrating that they don't.

I really don't understand why Safari on OS X runs with so many privileges. OS X has a fine-grained access control mechanism in the kernel as of 10.5 and I would really like to see Safari configured so it can't write anywhere except your downloads and preferences directories and can't read anywhere other than your preferences by default.

Re:doesn't work?

[nine-times]

That's all this is about? Safari downloads some things instead of displaying them? Is that even a security bug?

If my browser doesn't know how to display it, I think I'd rather it didn't try. Trying seems like it might be even more dangerous. Am I wrong?

Good advice

[labmonkey09]

This is a reasonable warning that would be applied as is to any other app. Apple leaving this unpatched is feeding fuel to fire, that started with Quicktime vulnerabilities and the sudden uptick of Mac vulnerabilities over the last few years, that Apple is no more serious or maybe capable about security than any other company.

Slightly OT: why corps bother with browsers?

[Bazman]

Why does MS and Apple put huge amounts of money into developing browsers when Firefox exists? IE and Safari generate zero revenue for the company since they give the software away, so it can't look too good on the balance sheet.

I can only think that it's some kind of NIH syndrome, or content-control-freakery, or that if they suddenly stopped making a browser and said 'oh flip it, Firefox wins' that confidence in the corporation (and hence share price) would nose dive.

Any other ideas?

Re:1, 2, 3 ... SHUN!

[Spy+der+Mann]

This reads like something Microsoft would do!

And that's no wonder. Steve Jobs and Bill Gates were cut with the same scissors. Back in the 80's, while Billy kept stealing whatever idea he stumbled upon, Steve Jobs only thought of becoming more powerful and promote a competitive environment inside Apple, even if that destroyed the moral of his employees.

Please do yourselves a favor and watch Pirates of Silicon Valley. It's an enlightening movie. And yes, Steve did even worse things, but they're too shocking to be mentioned in public.

Re:Accidentents.

It doesn't take hundreds of files. It takes one file.

According to Nate McFeters, Microsoft has a working "one click and the bad guy gets code running on your machine" exploit.

Re:1, 2, 3 ... SHUN!

You are sooo right. This kind of stuff, along with recent experiences with Itunes, pushes me firmly into the FOSS camp. Users are finally getting some respect there, the "users are lusers" attitude becoming increasingly relagated to the sidelines, and the changing world many of us anticipated 10 yrs ago is upon us.

Re:Accidentents.

[Znork]

Why even bother with executing them? I can imagine a whole host of marketing people thinking this is a great way to obtain prime advertisement real-estate.

Getting an icon on a users desktop is something some companies pay a lot of money for. In fact, the ability to spam any download folder is probably something they regard as worthwhile.

Re:Microsoft needs to get their own house in order

Why should Microsoft transition away from ActiveX? How is ActiveX any more vulnerable than (say) XPCom or the plugin model that every single browser supports? The only thing I can think of is that lots of vendors write ActiveX controls while relatively few write plugins for other browsers. But you CAN write secure ActiveX controls.

ShellExecute is similar to exec(). In this case, exec() would be just as likely to have a problem, since most users have . on their path (if your desktop is the current directory and you have . on your path then an application that calls exec() will execute programs on the desktop).

Re:Blurry eyes!

[Yvan256]

"Apple generally believes that the goal of the algorithm should be to preserve the design of the typeface as much as possible, even at the cost of a little bit of blurriness.

Microsoft generally believes that the shape of each letter should be hammered into pixel boundaries to prevent blur and improve readability, even at the cost of not being true to the typeface."

http://technicalconclusions.wordpress.com/2007/08/23/subpixel-rendering/

Re:Akamai says you don't need new attacks.

[Macthorpe]

Considering that link says that it's security flaws that have already been fixed that are being targeted, I don't see how that fits what I was asking you for.

As such, Twitter, I'm still waiting. Have to say, kudos for having the balls to reply to me with the username that you copied from mine. I like how you post at -1 with it - that plan really backfired for you, huh?

Re:Accidentents.

[Ilgaz]

MS copied a good concept of OS X Tiger+ (it has own stupid security story) and I noticed XP SP3 asks "Are you sure you want to run this file downloaded from internet" or something when you try to run a .exe file.

The problem is, a person who doesn't have enough security sense to run a unknown file to "see" what it is will likely say "yes" to that question. When you want to figure out a file, you double click. Hope they got good AV installed.

Ironically it is Safari which bugs OS X users about downloaded .exe files even while Mac was PowerPC and only way of running .exe programs was running it from MS Virtual PC (and couple of other emulators). I guess it even analyses the header of file and asks if user wants to download it after it hits 5-7%.

Apple should hire experienced Windows only developers who can easily predict the potential huge danger of this issue. The potential of it can be only seen by a experienced Windows developer, especially lived the 2001-2003 spyware nightmare.

Re:Well, also windows to blame

[El_Oscuro]

Oh, the wannabe Mac "Hide file extensions of known file types"? Been annoying me since Windows 95. With the security vulnerabilities this represents, you would have thought M$ would have changed the default by now?