Slashdot Mirror
Safari "Carpet Bomb" Attack Code Released
snydeq writes "A hacker has posted attack code that exploits critical flaws in the Safari and Internet Explorer Web browsers. The source code can be used to run unauthorized software on a victim's machine, and could be used by criminals in Web-based computer attacks, security experts say. The public example of the attack code allows attackers to litter a victim's desktop with executable files, an attack known as 'carpet bombing.' In combination with bugs in Windows and Internet Explorer, attackers can run unauthorized software on a victim's computer."
RTFA. Actually, it looks like this is a windows problem. Safari automatically downloads a file to the desktop. Then when you start Internet Explorer it runs the file on your desktop and there is the problem.
So the real issue is that Safari can be told to automatically download a file while internet explorer will automatically run a malicious dll from the desktop. actual post and proof-of-concept code here.
seems like a misleading summary to me.
This is a _Windows_ Safari problem, not an _OS X_ Safari problem. And yes I RTFBlogPost.
Here are two very quick temp' workarounds for the issue.
1) Launch IE from a location other than your desktop (e.g. Start Menu, Quick Launch Tray).
2) Go to Program Files\Internet Explorer, Create Shortcut, and then place that shortcut on your desktop. Make sure the "Start In" setting is set to any location other than your Desktop.
So the real issue is that Safari can be told to automatically download a file while internet explorer will automatically run a malicious dll from the desktop. actual post and proof-of-concept code here.
seems like a misleading summary to me. IE won't run anything "automatically." It sounds like the problem is that Safari both autodownloads to the desktop and then tells IE to open that file on its next load.
"I zero-index my hamsters" - Willtor (147206)
IE will load its DLLs automatically. If the current PATH contains the DLL, IE will use that version instead of the system version.
Yep, I never spell check.
More incorrect spellings can be found he
The problem originated from an error that Windows Internet Explorer will load some program library files(DLL) from user's Desktop instead of its own library file folder(usually C:\WINDOWS\SYSTEM32). Apple's Safari for Windows downloads and saves requested file to user's Desktop by default - this default behavior itself does not constitute a mistake.
The 'workarounds' suggested by MS include "Change the download location of content in Safari to a newly created directory". I don't actually know what's going on with this, but it seems like it's IE opening an improperly-named (or maybe there's some bad meta-data that comes along with it?) file from the desktop, no matter how it got there.
Read Slashdot: Microsoft Urges Windows Users To Shun Safari - it explains what happens in more detail.
Basically, on Windows Safari automatically downloads files, in imitation of its behavior on OSX, but whereas on OSX it downloads them to a nice ~/Downloads directory on Windows it downloads them to the desktop. Also, on OSX Safari tags the downloaded file as 'unsafe', but it fails to use the Windows functionality to do the same on Windows. This leaves a whole load of files that you never asked for or wanted lying around on your computer in a state that is one step away from being executed.
This 'attack' allows a malicious person to force Safari to dump thousands of files on your desktop, which in and of itself is not a nice thing, but when coupled with other exploits it can lead to code execution of these files you never wanted in the first place - whether those exploits are patched by the vendor (Microsoft) or not, we both know that a significant portion of desktops are not kept fully up-to-date with security releases.
I'm sorry, but allowing a malicious website to provide hundreds or thousands of executables on my desktop is *still* an Apple bug. What's worse, it's the root cause. Yes, Windows and IE have a flaw that allow that file to be executed, but it wouldn't be there in the first place - especially in such quantity - if the flaw in Safari didn't exist first.
As you say, the article is your friend.
"The Safari bug, originally disclosed on May 15 by security researcher Nitesh Dhanjani, allows attackers to litter a victim's desktop with executable files, an attack known as "carpet bombing.""
Yes, the "Downloads" folder was introduced in 10.5.
Magic doesn't work in my presence. My power of disbelief is too strong.
First, read the article.
;)
;)
Second, this is about a Windows flaw that Safari has not addressed (rather Apple) in its current iteration. Apple's browser can be considered a "patsy" in this... and MS is trying to pass the buck (so to speak.)
Third, the "open safe files after downloading" is old news. Get a new schtick.
And Fourth, grow up. This isn't about Apple's security, it's about Microsoft's... and Apple's inability to prevent "stupid is as stupid does" on a Windows machine. They're good... just not miracle workers.
So yes, IE is in fact autoloading executables from the desktop. It's Safari's vulnerability to carpet bombing that sets the stage, but it's IE and Windows that cause the big boom.
This space intentionally left blank.
I'd call that a fundamental flaw with the Windows environment itself. It sounds like this "desktop" thing is used as both a temporary scratchpad for miscellaneous data from arbitrary untrusted sources, and as a repository for locally trusted executables. Someone at Microsoft needs to get it straight in their head, and figure out just what this "desktop" thing is for.
When I think of my experience with Unix-type systems, I don't think it has ever occurred to me to put PATH=/tmp in my .bashrc. I think I have done dumb things like PATH=. back in the 1980s when I was young and foolish and didn't know better, though. Personally, I think it's delightful that a bunch of teenage amateurs are trying to create an operating system. So what if they haven't yet learned what everyone else had known for decades? Let's not discourage their creativity with our stodgy pragmatism. Maybe some day it will really pay off. If they really think it all through and work hard, 2009 could be the year of the Windows desktop.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
This is exactly what is happening.
/Users/user/Downloads. Wouldn't be hard to change WinSafari to do the same, but it would almost be an admission of fault to all the IE fanboys.
And yet this is listed as a Safari flaw?
Come on, how insanely insecure is it to run executable code from the desktop! Hasn't windows had protection on the windows and system32 directories for about 6 billion years now for this very reason? And then they go and make it pull executable code from just about the least secure place on any PC.
From where I'm sitting this is a massively Microsoft problem, but their suggested "fix" is still the easiest solution by far. But its a bandaid to a gaping oversight.
Safari on the mac defaults to
Even if Windows has an "unsafe for execution" flag for files, the DLLs in question aren't really being launched through the new process/application launch APIs that would implement such a flag.
These files are being loaded as trusted libraries of shared code that likely bypass anti-virus and other such protection apps.
Article X: The powers not delegated... by the Constitution...are reserved...to the people
Carpet bombing is still an issue, if for no reason than it is an annoyance.
Someone else posted somewhere here that it doesn't matter if the file is marked or not, and that if you download the file from IE or Firefox it is STILL picked up and loaded from the desktop by IE. Sounds like part of the problem is that dll's aren't being checked for safety before loading; whether this is a general "feature" in Windows or something IE specific, I have absolutely no idea, I haven't used Windows in a while so I can't check myself...