Slashdot Mirror
Safari "Carpet Bomb" Attack Code Released
snydeq writes "A hacker has posted attack code that exploits critical flaws in the Safari and Internet Explorer Web browsers. The source code can be used to run unauthorized software on a victim's machine, and could be used by criminals in Web-based computer attacks, security experts say. The public example of the attack code allows attackers to litter a victim's desktop with executable files, an attack known as 'carpet bombing.' In combination with bugs in Windows and Internet Explorer, attackers can run unauthorized software on a victim's computer."
This is not a security flaw in Safari, it's using what SHOULD be no more than a DOS attack on Safari to make an attack on the longstanding security flaws inherent in the Windows browser-desktop integration. The same flaws can be attacks with minimal social engineering ... convincing a significant number of users to download a file despite any warnings is NOT a hard process... the majority of malware over the past decade that have used related flaws in the Windows security model have managed to propagate using social engineering tricks.
I am still boggled by the fact that Microsoft didn't fix the deep problems here ten years ago.
Best workaround is to use Firefox.
The price is always right if someone else is paying.
It's something Microsoft has to fix. The article is your friend.
very informative.
If Windows has an "unsafe" flag for files, it should be used by Safari. Also, I find using desktop as default download space incredibly annoying (yes, i'm looking at you firefox).
That said, IE should also know better than to execute random files from the desktop, which seems like the nastier issue here.
For me it runs even when launching from the quick launch bar, or from the start menu. For some reason, IE seems to like to load things from the desktop by default. For instance, to change your "view source" application from notepad to notepad++, you can put the following in a notepad.bat file on your desktop.
C:\Program Files\Notepad++\notepad++.exe %1
This problem seems to be two fold. First, Safari will automatically download stuff, to your desktop, without asking you. Secondly, IE will load DLLS from the desktop, just because they happen to have the same name as some other DLL it is looking for. I think the bigger problem here is with IE, because it doesn't matter how the dll got on your desktop, it shouldn't be using it.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Why oh why, in two-thousand-freaking-whatever, do we still have issues like this? It's bad enough that Apple has "Open 'safe' files after downloading" enabled by default (and yes, they are the ones who put 'safe' into quotes, so it's not like they don't know) and being set to download files without prompting for confirmation is just as bad. We're getting into MS "Hey, let's automatically run attached executables!" territory here. Internet-related things need to be secure by default, period. (Yes, I know 'secure' is not a single magical setting, but if the choice is between "convenient, but obviously a potential attack vector" and "has at least one step between 'click' and 'pwn3d!' " then the default setting should be for the more secure of the two.)
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
"This is normal and fine behavior."
No, it isn't.
The masses are the crack whores of religion.
Half of the problem is with Safari, the other half is with IE. Let's give credit where credit is due.
If it weren't for Safari downloading the files to the desktop by default, they wouldn't get there.
If it weren't for IE opening these files from the desktop by default, they wouldn't open.
Now, if you'll excuse me, I'd like to feel completely secure. I'm going to go install my old copy of OS/2 Warp v3 and Netscape Communicator.
Those who believe the Internet is private,
find their privates are on the Internet.
No, the problem is that Safari doesn't utilize the functionality Windows has for marking files as safe or unsafe when it downloads something, thus allowing IE to open said files.
Safari isn't implementing the basic security that is implemented in Windows.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
In this case Application B and the system are one in the same.
The person I was responding to was talking about executing unauthorized exe on on another person's computer (to uninstall Safari). That part of the attack is a Windows+IE issue that Microsoft has to fix.
Sure, Safari (on Windows) can carpetbomb & spam your desktop. That's potentially annoying (but ultimately doesn't harm your system).
There's a distinction between Safari "making available" the malicious executable versus it actually being executed, which like I was saying, the person I was responding to was talking about.
But it is a Safari flaw. If I wrote a browser and released it for multiple OSs I'd consider it my responsibility to eliminate all possible security breaches individually for each version. Though I am an Apple user and really dislike MS, it seems to me that Apple simply didn't finish the job on their windows version of Safari. True, windows is a real PITA to port software to, with all the poor security choices MS has made -- but a job worth doing is a job worth doing properly. Users of WinSafari have a right to be upset about this, and Apple should fix it straight away. After all, no one's forcing them to code for windows.
Caveat Utilitor