Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Urges Windows Users To Shun Safari

Posted by CowboyNeal on from the big-surprise-there dept.

benjymouse writes "The Register has picked up on a recent Microsoft security bulletin which urges Windows users to 'restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.' This controversy comes after Apple has officially refused to promise to do anything about the carpet bombing vulnerability in the Safari browser. Essentially, Apple does not see unsolicited downloads of hundreds or even thousands of executable files to users' desktops as being a security problem." Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you.

10 of 502 comments (clear)

  1. Wow. Just wow. by yanyan · · Score: 3, Interesting

    The irony level in this situation is simply astounding. Secondary attack can cause execution of said downloaded binaries? What about all that malicious content that Internet Exploiter happily executes for the user with nary a warning or confirmation?

    1. Re:Wow. Just wow. by TheRaven64 · · Score: 3, Interesting

      WebKit is LGPL, not GPL. If it were GPL'd, it would not be possible for Safari to be proprietary. You can run Safari with your own version of WebKit relatively easily (and the LGPL requires Apple to allow this), but I don't think the changes you would need to fix this are in the WebKit layer. It's been a while since I looked at the WebKit code, but I seem to recall that it would be possible by wrapping one of the delegates, but that would be a very ugly hack.

      --
      I am TheRaven on Soylent News
  2. doesn't work? by v1 · · Score: 3, Interesting

    ok I'm the curious type so I made a test on my server, with the provided example.

    Since Safari does not know how to render content-type of blah/blah, it will automatically start downloading carpet_bomb.cgi every time it is served.

    Not for me? Safari 3.0.4 running on Mac OS X 10.5.2 renders a web page of numerous blank empty boxes. Nothing was placed in any local folder. Is anyone else able to duplicate this?

    --
    I work for the Department of Redundancy Department.
    1. Re:doesn't work? by TheRaven64 · · Score: 3, Interesting

      I didn't try this specific code, but Safari does have an irritating habit of randomly downloading things instead of displaying them. I have a load of .php files in my downloads directory because I've clicked on things in online svn browsers and it's decided it can't render them. It's not a huge vulnerability, but it is an irritation which could be easily fixed and it's frustrating that they don't.

      I really don't understand why Safari on OS X runs with so many privileges. OS X has a fine-grained access control mechanism in the kernel as of 10.5 and I would really like to see Safari configured so it can't write anywhere except your downloads and preferences directories and can't read anywhere other than your preferences by default.

      --
      I am TheRaven on Soylent News
    2. Re:doesn't work? by nine-times · · Score: 3, Interesting

      That's all this is about? Safari downloads some things instead of displaying them? Is that even a security bug?

      If my browser doesn't know how to display it, I think I'd rather it didn't try. Trying seems like it might be even more dangerous. Am I wrong?

  3. Slightly OT: why corps bother with browsers? by Bazman · · Score: 3, Interesting

    Why does MS and Apple put huge amounts of money into developing browsers when Firefox exists? IE and Safari generate zero revenue for the company since they give the software away, so it can't look too good on the balance sheet.

    I can only think that it's some kind of NIH syndrome, or content-control-freakery, or that if they suddenly stopped making a browser and said 'oh flip it, Firefox wins' that confidence in the corporation (and hence share price) would nose dive.

    Any other ideas?

  4. Re:1, 2, 3 ... SHUN! by Spy+der+Mann · · Score: 4, Interesting

    This reads like something Microsoft would do!


    And that's no wonder. Steve Jobs and Bill Gates were cut with the same scissors. Back in the 80's, while Billy kept stealing whatever idea he stumbled upon, Steve Jobs only thought of becoming more powerful and promote a competitive environment inside Apple, even if that destroyed the moral of his employees.

    Please do yourselves a favor and watch Pirates of Silicon Valley. It's an enlightening movie. And yes, Steve did even worse things, but they're too shocking to be mentioned in public.
  5. Re:Accidentents. by Anonymous Coward · · Score: 4, Interesting

    It doesn't take hundreds of files. It takes one file.

    According to Nate McFeters, Microsoft has a working "one click and the bad guy gets code running on your machine" exploit.

  6. Re:Accidentents. by Znork · · Score: 4, Interesting

    Why even bother with executing them? I can imagine a whole host of marketing people thinking this is a great way to obtain prime advertisement real-estate.

    Getting an icon on a users desktop is something some companies pay a lot of money for. In fact, the ability to spam any download folder is probably something they regard as worthwhile.

  7. Re:Blurry eyes! by Yvan256 · · Score: 4, Interesting

    "Apple generally believes that the goal of the algorithm should be to preserve the design of the typeface as much as possible, even at the cost of a little bit of blurriness.

    Microsoft generally believes that the shape of each letter should be hammered into pixel boundaries to prevent blur and improve readability, even at the cost of not being true to the typeface."

    http://technicalconclusions.wordpress.com/2007/08/23/subpixel-rendering/