Slashdot Mirror

← Back to Stories (view on slashdot.org)

Safari "Carpet Bomb" Attack Code Released

Posted by timothy on from the nogoodniks dept.

snydeq writes "A hacker has posted attack code that exploits critical flaws in the Safari and Internet Explorer Web browsers. The source code can be used to run unauthorized software on a victim's machine, and could be used by criminals in Web-based computer attacks, security experts say. The public example of the attack code allows attackers to litter a victim's desktop with executable files, an attack known as 'carpet bombing.' In combination with bugs in Windows and Internet Explorer, attackers can run unauthorized software on a victim's computer."

20 of 118 comments (clear)

  1. Re:Secure from the ground up! by spud603 · · Score: 5, Informative

    RTFA. Actually, it looks like this is a windows problem. Safari automatically downloads a file to the desktop. Then when you start Internet Explorer it runs the file on your desktop and there is the problem.
    So the real issue is that Safari can be told to automatically download a file while internet explorer will automatically run a malicious dll from the desktop. actual post and proof-of-concept code here.
    seems like a misleading summary to me.

  2. Wrong section, eds! by himself · · Score: 4, Informative

    This is a _Windows_ Safari problem, not an _OS X_ Safari problem. And yes I RTFBlogPost.

    1. Re:Wrong section, eds! by Qwerpafw · · Score: 4, Informative

      It's a Windows Internet Explorer problem, not a Mac OS X Safari problem.

      the "bug" is that Safari has the users desktop as the default download directory, and will automatically download files if you go to some websites. This is normal and fine behavior. The problem is that Internet Explorer loads files from the desktop on launch, which means if you craft a malicious library and put it on the desktop Internet Explorer will happily load it.

      Microsoft should fix IE to avoid loading files from the Desktop.

    2. Re:Wrong section, eds! by oyenstikker · · Score: 3, Insightful

      "This is normal and fine behavior."

      No, it isn't.

      --
      The masses are the crack whores of religion.
    3. Re:Wrong section, eds! by Chas · · Score: 4, Informative

      No. It's a problem with Windows Internet Explorer that's exacerbated by a problem with Windows Safari.

      Safari should NOT be auto-dumping files onto the Windows desktop. PERIOD.

      There's enough blame to go around everywhere.

      --


      Chas - The one, the only.
      THANK GOD!!!
    4. Re:Wrong section, eds! by ClassMyAss · · Score: 3, Informative

      Safari should NOT be auto-dumping files onto the Windows desktop. PERIOD.
      Totally agreed. I'd go further - no website should be able to trigger any action on my computer that persists after I close the damn browser window without my explicit permission, apart from saving cookies and leaving an entry in my history log (even then, only if I've enabled both of these things).

      That said, IE is worse here - downloading files without my permission is bad form, but a pre-installed system app loading DLLs from any old place that it finds them, especially one of the most common places to dump downloaded files, is just idiotic.

      Shame on all.
  3. Quick Workaround... by Manip · · Score: 4, Informative

    Here are two very quick temp' workarounds for the issue.

    1) Launch IE from a location other than your desktop (e.g. Start Menu, Quick Launch Tray).

    2) Go to Program Files\Internet Explorer, Create Shortcut, and then place that shortcut on your desktop. Make sure the "Start In" setting is set to any location other than your Desktop.

    1. Re:Quick Workaround... by CastrTroy · · Score: 4, Insightful

      For me it runs even when launching from the quick launch bar, or from the start menu. For some reason, IE seems to like to load things from the desktop by default. For instance, to change your "view source" application from notepad to notepad++, you can put the following in a notepad.bat file on your desktop.

      C:\Program Files\Notepad++\notepad++.exe %1

      This problem seems to be two fold. First, Safari will automatically download stuff, to your desktop, without asking you. Secondly, IE will load DLLS from the desktop, just because they happen to have the same name as some other DLL it is looking for. I think the bigger problem here is with IE, because it doesn't matter how the dll got on your desktop, it shouldn't be using it.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  4. Re:Secure from the ground up! by Colonel+Korn · · Score: 3, Informative

    RTFA. Actually, it looks like this is a windows problem. Safari automatically downloads a file to the desktop. Then when you start Internet Explorer it runs the file on your desktop and there is the problem.
    So the real issue is that Safari can be told to automatically download a file while internet explorer will automatically run a malicious dll from the desktop. actual post and proof-of-concept code here.
    seems like a misleading summary to me. IE won't run anything "automatically." It sounds like the problem is that Safari both autodownloads to the desktop and then tells IE to open that file on its next load.
    --
    "I zero-index my hamsters" - Willtor (147206)
  5. Better yet... by HerculesMO · · Score: 3, Insightful

    Best workaround is to use Firefox.

    --
    The price is always right if someone else is paying.
  6. Re:Secure from the ground up! by bluelip · · Score: 3, Informative

    IE will load its DLLs automatically. If the current PATH contains the DLL, IE will use that version instead of the system version.

    --

    Yep, I never spell check.
    More incorrect spellings can be found he
  7. Re:Secure from the ground up! by spud603 · · Score: 4, Informative
    from TFA:

    The problem originated from an error that Windows Internet Explorer will load some program library files(DLL) from user's Desktop instead of its own library file folder(usually C:\WINDOWS\SYSTEM32). Apple's Safari for Windows downloads and saves requested file to user's Desktop by default - this default behavior itself does not constitute a mistake.
    The 'workarounds' suggested by MS include "Change the download location of content in Safari to a newly created directory". I don't actually know what's going on with this, but it seems like it's IE opening an improperly-named (or maybe there's some bad meta-data that comes along with it?) file from the desktop, no matter how it got there.
  8. Re:Secure from the ground up! by Richard_at_work · · Score: 5, Informative

    Read Slashdot: Microsoft Urges Windows Users To Shun Safari - it explains what happens in more detail.

    Basically, on Windows Safari automatically downloads files, in imitation of its behavior on OSX, but whereas on OSX it downloads them to a nice ~/Downloads directory on Windows it downloads them to the desktop. Also, on OSX Safari tags the downloaded file as 'unsafe', but it fails to use the Windows functionality to do the same on Windows. This leaves a whole load of files that you never asked for or wanted lying around on your computer in a state that is one step away from being executed.

    This 'attack' allows a malicious person to force Safari to dump thousands of files on your desktop, which in and of itself is not a nice thing, but when coupled with other exploits it can lead to code execution of these files you never wanted in the first place - whether those exploits are patched by the vendor (Microsoft) or not, we both know that a significant portion of desktops are not kept fully up-to-date with security releases.

  9. mod parent up by spud603 · · Score: 4, Insightful

    very informative.
    If Windows has an "unsafe" flag for files, it should be used by Safari. Also, I find using desktop as default download space incredibly annoying (yes, i'm looking at you firefox).
    That said, IE should also know better than to execute random files from the desktop, which seems like the nastier issue here.

  10. Re:This is a longstanding Windows flaw. by brunascle · · Score: 5, Insightful

    I'd say it is a security flaw in Safari, but for different reasons. As the same blog explains, you could have Safari download an executable to the desktop that pretends to be e.g. Internet Explorer. If they normally launch IE from the desktop, they could click the fake IE next time, running arbitrary code.

  11. Re:Secure from the ground up! by FatMacDaddy · · Score: 3, Informative
    You know, this is pretty clearly explained in the article. To quote: "Microsoft's advisory says that the vulnerability has to do with the way Windows handles desktop executables and recommends that Windows users "restrict use of Safari as a Web browser until an appropriate update is available from Microsoft and/or Apple."

    So yes, IE is in fact autoloading executables from the desktop. It's Safari's vulnerability to carpet bombing that sets the stage, but it's IE and Windows that cause the big boom.

    --
    This space intentionally left blank.
  12. There is one by Titoxd · · Score: 3, Informative

    If Windows has an "unsafe" flag for files, it should be used by Safari. Windows has it. It's the Attachment Execution Service, located in the Alternate Data Streams in NTFS.
  13. Who uses safari for windows and IE? by wattrlz · · Score: 3, Interesting

    Personally I think the bigger issue is that Safari will auto-download, auto-mark-safe, and auto-run files silently. IE's broken too, but either one of the players involved could render this exploit moot. Let's see who responds first before stoning someone to death.

    I still don't see why someone would be browsing around in safari and then open up IE. A regular user's likely to only use his favorite browser and a dev who needs to view the same site in multiple browsers would probably notice that there're a bunch of new .dll files all over the desktop.

  14. Re:Closest resources first by deke_kun · · Score: 3, Informative

    This is exactly what is happening.

    And yet this is listed as a Safari flaw?

    Come on, how insanely insecure is it to run executable code from the desktop! Hasn't windows had protection on the windows and system32 directories for about 6 billion years now for this very reason? And then they go and make it pull executable code from just about the least secure place on any PC.

    From where I'm sitting this is a massively Microsoft problem, but their suggested "fix" is still the easiest solution by far. But its a bandaid to a gaping oversight.

    Safari on the mac defaults to /Users/user/Downloads. Wouldn't be hard to change WinSafari to do the same, but it would almost be an admission of fault to all the IE fanboys.

  15. Yup! by nobodyman · · Score: 4, Informative

    It would be easy enough to test this out though. manually download this DLL using IE (which marks the file as unsafe), then fire up IE7.
    I tried it out: the exploit still works when you manually download the file using IE instead of Safari. So either IE isn't marking downloaded executables as unsafe either, or IE ignores this flag when loading DLL's. Either way it undermines the"Apple is at fault" argument.

    Carpet bombing is still an issue, if for no reason than it is an annoyance.