Slashdot Mirror

← Back to Stories (view on slashdot.org)

Safari "Carpet Bomb" Attack Code Released

Posted by timothy on from the nogoodniks dept.

snydeq writes "A hacker has posted attack code that exploits critical flaws in the Safari and Internet Explorer Web browsers. The source code can be used to run unauthorized software on a victim's machine, and could be used by criminals in Web-based computer attacks, security experts say. The public example of the attack code allows attackers to litter a victim's desktop with executable files, an attack known as 'carpet bombing.' In combination with bugs in Windows and Internet Explorer, attackers can run unauthorized software on a victim's computer."

3 of 118 comments (clear)

  1. mod parent up by spud603 · · Score: 4, Insightful

    very informative.
    If Windows has an "unsafe" flag for files, it should be used by Safari. Also, I find using desktop as default download space incredibly annoying (yes, i'm looking at you firefox).
    That said, IE should also know better than to execute random files from the desktop, which seems like the nastier issue here.

  2. Re:This is a longstanding Windows flaw. by brunascle · · Score: 5, Insightful

    I'd say it is a security flaw in Safari, but for different reasons. As the same blog explains, you could have Safari download an executable to the desktop that pretends to be e.g. Internet Explorer. If they normally launch IE from the desktop, they could click the fake IE next time, running arbitrary code.

  3. Re:Quick Workaround... by CastrTroy · · Score: 4, Insightful

    For me it runs even when launching from the quick launch bar, or from the start menu. For some reason, IE seems to like to load things from the desktop by default. For instance, to change your "view source" application from notepad to notepad++, you can put the following in a notepad.bat file on your desktop.

    C:\Program Files\Notepad++\notepad++.exe %1

    This problem seems to be two fold. First, Safari will automatically download stuff, to your desktop, without asking you. Secondly, IE will load DLLS from the desktop, just because they happen to have the same name as some other DLL it is looking for. I think the bigger problem here is with IE, because it doesn't matter how the dll got on your desktop, it shouldn't be using it.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.