Slashdot Mirror
Microsoft Urges Windows Users To Shun Safari
benjymouse writes "The Register has picked up on a recent Microsoft security bulletin which urges Windows users to 'restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.' This controversy comes after Apple has officially refused to promise to do anything about the carpet bombing vulnerability in the Safari browser. Essentially, Apple does not see unsolicited downloads of hundreds or even thousands of executable files to users' desktops as being a security problem." Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you.
"Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you."
With hundreds of files on your desktop, what are the odds you'd hit one when you are just blanking out a selection, or deleting them, or frustratingly smack your mouse for [whatever reason]
The irony level in this situation is simply astounding. Secondary attack can cause execution of said downloaded binaries? What about all that malicious content that Internet Exploiter happily executes for the user with nary a warning or confirmation?
Time for bed.
Talk about the stove calling the kettle black.
Finally, something I we can agree on.
ok I'm the curious type so I made a test on my server, with the provided example.
Since Safari does not know how to render content-type of blah/blah, it will automatically start downloading carpet_bomb.cgi every time it is served.
Not for me? Safari 3.0.4 running on Mac OS X 10.5.2 renders a web page of numerous blank empty boxes. Nothing was placed in any local folder. Is anyone else able to duplicate this?
I work for the Department of Redundancy Department.
Wow. Have to admit I'm on Microsoft's side here. Let's see:
It's not just the vulnerability that hurts, but the compund bullshit caused by Apple's -- rather arrogant -- actions. This reads like something Microsoft would do!
Also, vulnerabilities in Apple software (and this bug affects both Windows and Mac), make all *nix stuff look bad: watch MS shills roll out the 'Microsoft software is only vulnerable because hackers target it' FUD in short order.
Posting as AC due to Apple fanboy-mods. Modding this down doesn't stop it being the truth.
A list of actual drive-by vulnerabilities in current Internet Explorer (name-calling went out of vogue when you reached the age of 15, man. You are at least 15, right?) that allow for code execution on the client to substantiate your claim, please.*
Now if you want to point fingers, visit that Dhanjani link and read about the vulnerability he's not disclosing, as a courtesy to Apple; "The third issue I reported to Apple is a high risk vulnerability in Safari that can be used to remotely steal local files from the user's file system [...] it is a high risk issue affecting Safari on OSX and Windows". There hasn't been an update to that in the past 2 weeks, implying that it has not yet been fixed.
The Slashdot headline is pure flamebait and you took it.
Nice way to spin a Safari flaw.
That guy appears to be the one who discovered the vulnerabilities and reported them to Apple.
Do you really think Slashdot shouldn't link to primary sources?
-Esme
Hi all I'm in the uncomfortable position of agreeing with Microsoft on this issue. If a browser (any browser) allows a website to randomly download files without the user's explicit permission, regardless of the location, it is a security issue in my opinion. Having said that, I take issue with Microsoft's security advisory. The only thing they say is: "What causes this threat? A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a userâ(TM)s machine without prompting, allowing them to be executed." OK, but how about telling us the how or why? Since it is a direct contributor which causes the blended threat, I don't think it's asking too much to want to know exactly "how the Windows desktop handles executables" and how that contributes to the threat. http://www.evden-eve-nakliyat.name.tr/
That may be so, but even then Apple probably would have been wiser to choose a folder other than the desktop. Its just too easy to accidentally click a file on the desktop, or for some less computer literate user to see a .exe on their desktop and click it, wondering what it is.
You'll notice that on the latest installment of OS X, safari downloads to a Downloads folder, not the desktop.
Supposedly it does this on OS X as well, but the a comment above says it's not doing it, but that as an aside..
If it -does- do this on OS X, then it is called a convenience?
What is the convenience in having a folder automatically stuffed with files, downloaded without your say-so, exactly? Regardless of whether they can then be arbitrarily executed by a second program, or whether the user can execute them without a warning dialog popping up or not, etc. What, in your opinion, is convenient about it?
I find alt+click in Firefox convenient to download a file that I want without clicking on it and then going through the download dialog. I find it even more convenient that Firefox -asks- me if I want to download a given file if some crazy redirect page pointed me to one; gives me the opportunity to say "Hell no!" before the file even ends up on my drive.
But our opinions on convenience may differ.
This is a reasonable warning that would be applied as is to any other app. Apple leaving this unpatched is feeding fuel to fire, that started with Quicktime vulnerabilities and the sudden uptick of Mac vulnerabilities over the last few years, that Apple is no more serious or maybe capable about security than any other company.
/LabMonkey09
Well, let's see:
Oh, I see. So, the auto-download feature doesn't "properly" tag them like IE7 does, so users might accidentally execute a program without being first informed it was downloaded? Gosh. Sounds less like a security vulnerability than MS blowing smoke.
But, wait:
Oh, well now it's sounding more like it'll be downloaded *and* executed automatically. Of course, if that's the case, half the "security vulnerability" is in Window's automatically executing things. If not, MS is simply lying..unless they have proof that Safari is the one causing said automatic execution.
However you spin it, Safari allowing carpet bombing is an annoying feature (much like pop-unders are an annoying feature). But it's not a security vulnerability. Labeling it as such is bullshit.
Does that mean you should use Safari regardless? Personally, I'd say no. Carpet bombing is too annoying of a feature to tolerate. But, then, I'd imagine Windows has too many annoying features for a lot of Mac users. It'd be just as asinine for Apple to issue a security advisory to shun Windows.
Eurohacker European paranoia, gun rights, and h
One hundred rounds does not constitute firepower.
One hit contitutes firepower. (Gen. Merritt Edson, USMC)
If a browser (any browser) allows a website to randomly download files without the user's explicit permission, regardless of the location, it is a security issue in my opinion.
It's a minor issue compared to a number of others that ALL browsers on Windows have. If Microsoft is serious about security then they need to:
1. Immediately transition away from ActiveX, with as short a timeframe as possible.
2. Replace ShellExecute() with something similar to UNIX's exec(). They already HAVE the code, in the POSIX subsystem.
3. Eliminate "security zones" as a security model - there must be no circumstance in which the location of an object named in a web page automatically grants it privileges.
4. Provide an alternate API for browsers to use to find and run helper applications that is not based on the desktop helper application bindings.
All four of these are far bigger problems than having files downloaded without a prompt. Not only do they all provide paths to direct execution of untrusted code without user interaction, but they have all BEEN used for that purpose hundreds of times over the past decade.
I am not sure it's possible to implement a really secure browser on Windows without completely bypassing all of Microsoft's recommended APIs.
Why does MS and Apple put huge amounts of money into developing browsers when Firefox exists? IE and Safari generate zero revenue for the company since they give the software away, so it can't look too good on the balance sheet.
I can only think that it's some kind of NIH syndrome, or content-control-freakery, or that if they suddenly stopped making a browser and said 'oh flip it, Firefox wins' that confidence in the corporation (and hence share price) would nose dive.
Any other ideas?
You can tell Safari to put downloaded files where ever you want.
So they don't have to be on the desktop
But Safari places them on the desktop by default. This is the key problem, and in fact a good number of security vulnerabilities woudn't be an issue if it weren't for the fact that the majority of users stick with the default settings.
And you can't make the argument that the only people downloading Safari are power users anymore - if you have an iPod, odds are that Apple Update has pushed Safari to your machine.
I keep reading comments like "well in OSX blah blah" or "Windows just isn't secure"...ok that's informative, but it's really beside the point. I'm willing to bet that Apple is not addressing this fix because it's good PR to the uninformed. If the user perceives that it's Windows' fault then they might well go all Mac since they are already using Safari...Anyhow, I think that along with the PR bit, Apple doesn't want to admit that there is a huge gaping hole in their web browser, which raises a question...is Apple ready for a bigger market share? Microsoft may have security holes, but you can almost bet they will be patched in a timely matter. With Apple, from my experiences, it takes quite a while for updates to hit the servers. I don't really see this as controversial at all, Apple needs to patch their product, Microsoft has an obligation to protect their users...I would expect Apple to do the same with IE if Microsoft out right REFUSED to patch it. I know there is a lot of Microsoft hate here on Slashdot...but this is pretty obvious in that it's Apple being the "bad guy" here.
Feel free to start listing them now. I'll let you know how many of them still work.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
It certainly opens the possibility for some "fun" denial of service attacks. How many files do you need on your desktop before explorer.exe croaks? I presume the number is well under 100,000?
________
Entranced by anime since late summer 2001 and loving it ^_^
This space for rent.
From the linked article "Apple does not feel this is a issue they want to tackle at this time. In my most recent email to Apple, I suggested that they incorporate an option in Safari so the browser can be configured to ask the user before anything is downloaded to the local file system. Apple agreed it was a good suggestion: ...the ability to have a preference to "Ask me before downloading anything" is a good suggestion. We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.
[credit to BK have-it-your-way Rios for suggesting the term "Carpet Bomb" to describe this issue]."
This space for rent.
This space for rent.
Teacher, may I go to the bathroom?
What if Apple's security team had said no?
[Fuck Beta]
o0t!
This space for rent.
It can really be a serious vulnerability, most default windows setups hide the .exe of executable filenames, with this I could easily place a bogus "My computer" icon that executes my favorite rootkit.
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
"Apple generally believes that the goal of the algorithm should be to preserve the design of the typeface as much as possible, even at the cost of a little bit of blurriness.
Microsoft generally believes that the shape of each letter should be hammered into pixel boundaries to prevent blur and improve readability, even at the cost of not being true to the typeface."
http://technicalconclusions.wordpress.com/2007/08/23/subpixel-rendering/
I guarantee you someone at Microsoft had to bake cupcakes when they found out they could justifiably classify an Apple product as a security risk.
Safari is a viable alternative, at least according to most all of the reviews of it, such as Arstechnica. Personally, I prefer Firefox on Windows, but I do miss some of the nice features that Safari has, but others have not caught up on. For example, I just resized the text box I'm typing this in to be large enough so I don't have to scroll. I regularly miss that when I'm on Windows or Linux.
When a download starts in Safari the 'Downloads' window appears. If you want to prevent a download all you have to do is click. This would be impractical with a hundred downloads, but so would a hundred prompts. Likewise, approving downloads one at a time isnâ(TM)t ideal when you want to download a lot of files. Iâ(TM)d like to see Apple add a delay before the download starts to give users more time to respond. A cancel/prevent all button would also be fun. In the end all Apple really needs to do is change the default download location and this problem becomes a non-issue. Microsofts claims seem to center around the fact that the files end up on the desktop. All in all I think this is rather ridiculous in the light that the user is made well aware of the downloads and can easily stop them. This certainly wont stop me from using Safari or Webkit in general on Windows. On a side-note, there are a number of download managers that take over from Safaris âDownloadsâ(TM) window on OSX. Itâ(TM)s not unreasonable to think this could prevent mass downloads.
If I'm downloading stuff to my Desktop then there is no security problem. Now, uploads are a different matter. Is that what is supposed to be meant here? Me thinks "downloads" doesn't mean what they think it means.
this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
Considering that link says that it's security flaws that have already been fixed that are being targeted, I don't see how that fits what I was asking you for.
As such, Twitter, I'm still waiting. Have to say, kudos for having the balls to reply to me with the username that you copied from mine. I like how you post at -1 with it - that plan really backfired for you, huh?
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
I know some may be embarrassed that I am revealing this crippling exploit, but I just think that it cannot be covered up any longer. I was astonished to discover, after running many, many tests in my parents' basem...secret lab... that all browsers have this horrible bug. Clicking on any link will cause dozens of files to be downloaded automatically!!! That's right: any link you visit on the Web actually causes a complete download of its content to your computer! Think of the unwitting copyright violations! Think of the children! What's worse, these files are not in an obvious location such as your desktop. No, they are stashed away in such cryptic locations as "~/.mozilla/firefox/znf60w9b.default/Cache" .mozilla - is doubly insidious. Any file beginning with '.' is HIDDEN from view, you don't even need to set an extended attribute on it, most utilities are actually TRAINED to hide these files. Many of them have the ability to control all of your softwares! Secondly, 'mozilla' must be a reference to some sort of ancient mythical beast. Perhaps the virus writers are religious and do not wish to invoke the name of G-d, so instead they call him by the epithet "Moz."
Let's analyze these components one by one.
The tilde ~ is an unusual character - many people do not even know its name, so it is difficult for tech support to help you with this over the phone!
The next part -
The next component is obviously gibberish with a seemingly innocent '.default' tacked on for respectability!
And then "Cache" - what is this? Some mispelling of the word "cash?" As in, they want our money as ransom to fix these crippling bugs?
Nay, I say, we must rise up! Rebel against these secretive 'hackers' before they can control our desktop!