Apple Fixes Safari "Carpet Bomb" Windows Vulnerability

← Back to Stories (view on slashdot.org)

Apple Fixes Safari "Carpet Bomb" Windows Vulnerability

Posted by kdawson on Friday June 20, 2008 @01:15AM from the no-more-carpet-tax dept.

Titoxd writes "Apple has released a new version of Safari that fixes the carpet bomb vulnerability in Safari 3.1 for Windows. This comes in the heels of Microsoft recommending against using Safari in Windows, as well as the release of code exploiting this vulnerability."

99 comments

Min score:

Reason:

Sort:

You mean? by Centurix · 2008-06-20 01:19 · Score: 5, Funny

You think the carpet bombers did this?
Face it man, that rug really tied the room together...

--
Task Mangler
1. Re:You mean? by pete-classic · 2008-06-20 02:11 · Score: 1
  
  Well Dude, we just don't know.
  -Brant
I installed the update... by Anonymous Coward · 2008-06-20 01:23 · Score: 4, Funny

And my computer rebooted into OS X. Not that I mind, really.
1. Re:I installed the update... by Anonymous Coward · 2008-06-21 13:22 · Score: 0
  
  Someone has been reading Ubersoft.
But did they fix the real bug? by rustalot42684 · 2008-06-20 01:31 · Score: 5, Insightful

Did they fix the bug where Safari installs as an iTunes update? I'd say that that is a fairly severe bug right there.
1. Re:But did they fix the real bug? by Anonymous Coward · 2008-06-20 01:34 · Score: 0
  
  No, they'd rather take the "Sony-PSP" approach to it: it's not a defect, it's a feature!
2. Re:But did they fix the real bug? by Vectronic · 2008-06-20 01:36 · Score: 0
  
  No no, thats no bug, its a feature...
  One of the few times I can say that without rolling my eyes... im pretty sure that its something similar to MSN Messenger only using IE for e-mail, cause Windows (currently) comes with IE (basically manditory) but I dont think OSX comes with Safari as imbedded (I dont use OSX, what do I know?), so its sort of "making sure" that it has its appropriate buddy applications... that way people can't bitch when iTunes fucks up trying to launch/view a certain webpage: "well, if you had Safari installed it woulda worked"...
3. Re:But did they fix the real bug? by tokul · 2008-06-20 01:53 · Score: 5, Informative
  
  Did they fix the bug where Safari installs as an iTunes update?
  New (released more than one month ago) Apple Software Update has two sections. One for updates and other for new software. When Safari was introduced, Software Update had only one section.
4. Re:But did they fix the real bug? by Briareos · 2008-06-20 02:27 · Score: 3, Informative
  
  New (released more than one month ago) Apple Software Update has two sections. One for updates and other for new software. Last I checked the "new" software was still checked by default - and I really don't feel like installing anything that ASU comes with right now. So does anyone know if they finally fix THAT idiocy?
  np: Seabear - Sailors Blue (The Ghost That Carried Us Away)
  
  --
  "I'm not anti-anything, I'm anti-everything, it fits better." - Sole
5. Re:But did they fix the real bug? by 99BottlesOfBeerInMyF · 2008-06-20 02:58 · Score: 4, Insightful
  
  Last I checked the "new" software was still checked by default - and I really don't feel like installing anything that ASU comes with right now. So does anyone know if they finally fix THAT idiocy?
  Why would they need to "fix" it. It is operating as they prefer it, the same as all the software MS includes in Windows that most of us would prefer we did not have to install. Is it so difficult for you to uncheck that box if you're performing an update?
6. Re:But did they fix the real bug? by torchdragon · 2008-06-20 03:29 · Score: 5, Insightful
  
  Yes.
  Recently, the Java update software has begun asking for the Open Office installer to be installed on the system during an update for Java. Several users at my company have clicked straight through and added more crap to their desktop/registry/uninstall information.
  Can we blame the users for not reading every detail and not unchecking a checkbox? Yes.
  Can we also blame software vendors who are relying on the aforementioned user behavior to add their software to your computer on the sly? Yes.
  Its a bad practice and it needs to stop.
  If something is required for the operation of a software package, default to selected.
  If something is optional or not required for the operation of a software package, default to unselected.
  Why are we allowing marketing to override good engineering?
  
  --
  "Don't feel bad for me child; I'm the monster that hides under your bed."
7. Re:But did they fix the real bug? by lusiphur69 · 2008-06-20 03:38 · Score: 5, Insightful
  
  The real question is why are you defending Apple's unethical bundling - when the same is performed by Microsoft we criticize it. Call a spade a spade or you look foolish. Face it, this kind of practice is unacceptable, whether or not it comes from your favorite company.
  Is it so difficult for you to uncheck that box if you're performing an update? For me, no. For millions of uneducated end users, it is. Get it?
8. Re:But did they fix the real bug? by Calibax · 2008-06-20 03:42 · Score: 1
  
  I installed Safari for Windows about a week after it came out. That was several months ago.
  It was very clearly marked as "new software". It was not marked as an update to anything. I just checked on a different system, and Safari is still marked as "new software".
9. Re:But did they fix the real bug? by Calibax · 2008-06-20 03:50 · Score: 1, Insightful
  
  I guess it's about as unethical as Microsoft forcing IE7 on all users who use automatic updates. If fact, Microsoft forces new stuff all the time this way.
  Not defending it - just saying that Apple, Microsft and Sun all do this, so don't single out Apple as being unethical in this manner.
10. Re:But did they fix the real bug? by VeNoM0619 · 2008-06-20 04:01 · Score: 1
  Did they fix the bug where Safari installs as an iTunes update? I'd say that that is a fairly severe bug right there. More importantly, did they fix the ipod software itself? Every update cripples me even further without fixing what the previous broke (80GB gen 5).
  
  IPOD plays all songs
  
  IPOD needs to be restarted after adding songs
  
  IPOD cannot have more than ~30,000 songs in a genre
  
  IPOD cannot have more than 30,000 songs in TOTAL (otherwise no songs display)
  
  I'm afraid of the next update, where I can only have 1 song total on it.
  
  Believe me, the support is sub-par to say the least. The online help is very confusing: screenshot 1 screenshot 2 (notice the 1st pic with the red circles) and hardly addresses the topic, and their solution is ALWAYS "bring it in to apple store" as a cure all.
  
  I am not a fanboy of anything particular, and I couldn't care about bashing Apple, I've just been very unhappy with this product as of lately.
  --
  Disclaimer: I am not god.
  We may not be created equal
  But we can be treated equal.
11. Re:But did they fix the real bug? by Anonymous Coward · 2008-06-20 05:36 · Score: 4, Insightful
  
  No, it isn't like that. IE7 is an upgrade to something already installed and, to most end-users, in use. Safari is an entirely new piece of software. There's a difference, whether you like it or not.
12. Re:But did they fix the real bug? by Macman408 · 2008-06-20 05:41 · Score: 1
  
  If something is required for the operation of a software package, default to selected.
  If something is optional or not required for the operation of a software package, default to unselected. That's not quite what I'd want. I think it should default to whatever "most users" would want. If it's related to the software being installed but optional, go ahead and leave it as default if it's useful: like plugins, additional media files, large level or graphics files for a game that can load files either from the HD or a CD, whatever you expect to be actively used by your users.
  On the other hand, if it's unrelated software, leave it unchecked. If the company only WANTS "most users" to want their software, leave it unchecked.
  Basically, checked things should be useful for the main purpose of the program being installed, but you can uncheck them to save hard drive space, or to remove features that not every user will use. Unchecked things should be anything that is there for marketing purposes, or that only a small fraction of users may want.
13. Re:But did they fix the real bug? by 99BottlesOfBeerInMyF · 2008-06-20 05:51 · Score: 0
  
  The real question is why are you defending Apple's unethical bundling - when the same is performed by Microsoft we criticize it.
  Actually, in Apple's case it is tying, but not bundling. The concept is the same, except for two things. First, it has to be tying to a monopolized product. In this case Apple is tying iTunes to the iPod (which is nearly a monopoly force) and which they, in turn, tied to Safari. In this case, however, those markets are both already destroyed by MS's prior monopoly abuse into those same markets. Apple is actually helping those markets by leveraging the iPod to bring some choice into those markets. Compare, for example, MS's affect upon Web standards and compare it to Apple's influence.
  
  For me, no. For millions of uneducated end users, it is. Get it?
  You injected this in a discussion of technical merits and flaws. This is neither. This is an economic issue, you've brought up. You should not confuse the two. I don't see this as a technical issue, and as an economic issue so far the affect has been positive.
14. Re:But did they fix the real bug? by marklark · 2008-06-20 07:20 · Score: 1
  
  Well, Safari isn't exactly embedded, but it's handy if you want to download Firefox or Opera and then make one of those your default browser...
15. Re:But did they fix the real bug? by Calibax · 2008-06-20 07:58 · Score: 2, Insightful
  
  Nevertheless, IE7 broke a bunch of stuff at my company. The IT folks spent a considerable amount of time and and energy getting everything on the intranet working with it.
  I would strongly argue that IE7 was a new product with a similar name, and not an upgrade.
16. Re:But did they fix the real bug? by Zero__Kelvin · 2008-06-20 08:18 · Score: 1
  
  "Is it so difficult for you to uncheck that box if you're performing an update?"
  "Yes."
  Then you are exactly the kind of "lowest common denominator" type to whom the default yes was targeted.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
17. Re:But did they fix the real bug? by torchdragon · 2008-06-20 08:33 · Score: 1
  
  Actually, I'm not. They don't want to hit me with that checkbox because I do pay attention to what comes up on my screen. So instead of getting an extra incidental hit for whatever they're pushing, they now have an annoyed customer. The people they're targeting with this is the people who won't notice that they're installing extra software.
  So far Apple, Sun, and Daemon-Tools have all edged me away from their products because of this choice. Though I suppose you really can't be concerned with the dolphins getting caught in the net when the profit from the mindless tuna is just so high.
  
  --
  "Don't feel bad for me child; I'm the monster that hides under your bed."
18. Re:But did they fix the real bug? by Zero__Kelvin · 2008-06-20 08:41 · Score: 1
  
  Whooooosh .....
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
19. Re:But did they fix the real bug? by torchdragon · 2008-06-20 08:47 · Score: 1
  
  Well, at least I got a breeze. What exactly was the point of your comment then? Obviously I missed something.
  
  --
  "Don't feel bad for me child; I'm the monster that hides under your bed."
20. Re:But did they fix the real bug? by _xeno_ · 2008-06-20 09:04 · Score: 1
  
  It's even more obnoxious because the stupid Open Office installer comes with a JRE by default, too.
  
  If you don't want to download the installer which is bundled with a JRE, you have to hunt through links on the OO.o site. The download link silently includes a JRE. Instead you have to click on "Get more platforms and languages" if you don't want the JRE.
  
  But wait! Note the anchor on that more platforms link? By default, it jumps you to your current language. So now you need to scroll up and then uncheck the checkbox that tells it to include the JRE.
  
  But wait! What checkbox? Oh, you need to enable JavaScript to see the checkbox. So enable JavaScript and then clear the checkbox. Now you can finally download OpenOffice.org without a JRE.
  
  Why would you want to download OO.o without a JRE? Well, as they say in bold text: If you already have Java installed there is no need to download the OpenOffice.org installer with Java.
  
  I agree completely. If you already have Java installed, there's no need to download a second copy. But then why is it so stupidly hard to do so?! And if they're going to use JavaScript to auto-detect your OS, why not add in a quick check to see if you already have a JRE through the Java plugin?
  
  Of course, skipping the JRE download only saves 13MB, so for people on broadband, it's probably not worth the time jumping through the hoops just to skip the JRE. But if you do that, you need to make sure that you choose a "Custom" install so you can tell it not to install the JRE. Which you'll want to make sure you do, because at least with the copy of OOo I just downloaded, the bundled JRE is a couple of patches out of date anyway. (6u4 versus 6u6.)
  
  I suppose just blindly downloading the OOo copy from the Java installer is the "preferred" way of not getting a second JRE? Or does that include it anyway? Maybe I'll have to reinstall Java to check...
  
  --
  You are in a maze of twisty little relative jumps, all alike.
21. Re:But did they fix the real bug? by mr_matticus · 2008-06-20 11:41 · Score: 1
  
  The real question is why are you defending Apple's unethical bundling - when the same is performed by Microsoft we criticize it. Bundling and peddling are not the same. I have no objection to Microsoft default check boxes to install things. When I install Office, if it tries to select MSN Messenger by default, I will uncheck it. When I fill out registration forms online, those newsletter signups are checked by default. I uncheck them.
  Microsoft is free to set whatever checkboxes it wants. That's not bundling--it's not like the data has been downloaded yet or that it comes along without permission. It's not anticompetitive. I don't recall any criticizing Microsoft specifically for the practice of default installations--I recall criticism for not having a checkbox to unmark in the first place
  For me, no. For millions of uneducated end users, it is. Get it? No. If you're so stupid that you can't click a box to determine whether or not you want to install a piece of software, you have no business on a computer. It's not a configuration option. You're not deciding whether to include a program feature, or trying to decipher some obscure technical term in your media player's configuration screen.
  I don't disagree that it's an annoying practice, regardless of who does it, but it's one that would stop overnight if people actually paid attention to what they're doing. There's no value in it if people take the third of a second to look at what they're clicking on. It's not really any different than a popup message during installation that says, "Would you like to try Safari today?" with brainless-human-drone just tapping the enter key when anything pops up on screen.
  If it just started installing one day (e.g. Windows spyware tool on automatic update systems), that would be one thing. But if software presents a screen, telling you exactly what it's going to do if you click the button and giving you the opportunity to change that default if you don't like it, then you're just an idiot for clicking that button.
  It's the same deal with malware. On Linux and OS X, asking for an administrator password isn't really for the authentication (for the most part), it's an interruption in the mindless "next" and "OK" clicking done by computer users. It causes people to have to reach out to their keyboard and hopefully in that moment, their brain comes out of standby and says, "Hey! Wait a minute! What am I doing?"
22. Re:But did they fix the real bug? by drifterusa · 2008-06-20 18:47 · Score: 1
  
  I don't know where you're from, but in the United States of America, marketing overrides everything.
23. Re:But did they fix the real bug? by drifterusa · 2008-06-20 19:04 · Score: 1
  
  It is unethical for Microsoft to use its monopoly power in the marketplace to dictate to its partners what they can and can't install on the computers they manufacture in order to protect and enlarge Microsoft's monopoly power. Apple has no monopoly power in the marketplace and is not threatening anyone who refuses to install Safari.
  What Apple is doing here is merely annoying. However, I do think that when Microsoft was found guilty for the umpteenth time and got away with a slap on the wrist, Apple noticed and decided to play a bit of hardball, too.
  As has been pointed out elsewhere, Apple's gambit is designed to loosen Internet Explorer's grip and make Microsoft's version of the Web the same as everyone else's (and not the other way around). I think that's a laudable goal.
24. Re:But did they fix the real bug? by Ilgaz · 2008-06-21 02:38 · Score: 1
  
  I know a company who has thousands of clients and their admin. You know the result of the cheap trick of adding Safari to Software Update on their machines and policy? They mass uninstalled Quicktime, the core of Apple technologies on Windows and banned everyone from installing anything related to Apple Inc. coming with software update.
  Now they may have fixed it but that company (or several others) will keep that policy thanks to Carpet Bombing type things coming with the updated (!) Safari browser. Sadly, we will keep putting "Flash" videos to our sites since people frustrated by such tricks won't have Quicktime installed.
  Apple should be proud (!) of that 3% or something Safari popularity added by that trick. Safari for Windows is not a bad browser (if they respect to OS they run on), it didn't need such tricks.
  I can bet easily that genius idea (!) came from PR team or some suits, not engineers. You know those shadowy brotherhood is also responsible for asking $30 for "fullscreen" in Quicktime for years.
25. Re:But did they fix the real bug? by Ilgaz · 2008-06-21 02:44 · Score: 1
  
  Open Office? Not just that, does Sun, Adobe (Flash) need couple of cents from Google to put "Google Toolbar" which can make any serious company with a security policy lose their minds?
  Adobe Flash, Java (!!!!) comes with Google Toolbar if user doesn't unclick that selection box selected by default. Google Toolbar could be security nightmare if user does select some options.
26. Re:But did they fix the real bug? by ObiWanKenblowme · 2008-06-23 06:48 · Score: 1
  
  So this company's software policy is based not on tangible, measurable factors but on the pet peeves of its IT staff? Fantastic.
  
  --
  Obvious exits are NORTH, SOUTH, and DENNIS.
27. Re:But did they fix the real bug? by lusiphur69 · 2008-06-26 03:55 · Score: 1
  
  My god, there sure are a lot of apologists for Apple who will use whatever twisted logic they can in a futile attempt to spin Apple's practices as anything but what they are - unethical.
  'But - but - but, Safari does'nt have a monopoly!' Ergo, what they are doing is ok? Give me a break.
  Pull your heads out of the Apple spin cycle and try to examine the issue dispassionately, you might find you come to a similar conclusion.
  As far as people not knowing how to remove checkboxes having 'not being allowed to sit in front of a computer' - you clearly have not been around enough. That describes the majority of the population online.
What a stupid vulnerability by sakdoctor · 2008-06-20 01:33 · Score: 2, Insightful

It's pretty common that some badly configured web server will send content to me that firefox will then ask if I want to download.
Just letting it download and then moving on to the next file is...well such an obviously stupid behaviour.
Also, please don't let carpet bombing become the next security buzzword along with bricking and zero-day.
1. Re:What a stupid vulnerability by Anonymous Coward · 2008-06-20 01:49 · Score: 0
  
  I really hope it does, actually, because it has a really dirty sexual connotation...
2. Re:What a stupid vulnerability by 99BottlesOfBeerInMyF · 2008-06-20 03:16 · Score: 1, Informative
  
  Just letting it download and then moving on to the next file is...well such an obviously stupid behaviour[sic].
  I disagree. If I click a link to download something, well obviously I want to download it. Clicking a second time to confirm is an annoyance. Apple's solution is to let things download, but put them in the downloads folder and flag them as untrusted content from the internet (well not flag them as trusted, since the default is untrusted). That is to say, that is their solution on OS X. On Windows, there is no download folder and for some reason they screwed up and did not flag it as untrusted in Vista (XP does not support that either). In my mind, their solution on OS X is superior, because it also helps solve the problem of executables masquerading as data. It means I can download a picture without any extra clicking and when I open it, I know it is just a picture. When I download an executable and then run it, I get a warning that it is a new executable (thus informing me it isn't data). I also get a link to open up the originating page so if it was downloaded a while ago, I can go see if it was something I wanted or a drive-by download or a trojan I thought was data at the time I downloaded it. From a larger perspective, I think it makes more sense to handle this type of solution at the OS level, since there are so many different programs that download files. It is better to have one good, consistent solution than a bunch of different ones of different quality levels. This fix from Apple is actually a work-around for Windows lack of support for Apple's better (IMHO) solution.
  
  That is not to say everything is kosher. As far as I know Apple still isn't flagging executables as new on Vista where they stupidly default to trusted. Apple should have had a limit on the number of automatic downloads in response to a click or page load (probably one file) instead of letting one link download a dozen or more files. Apple also should have looked more closely at the way Windows works and tuned their solution from the start. One of the biggest problems with Safari on Windows is that it is a port and Apple has to recreate bits of OS X that Windows is missing as well as work around weird flaws in the Windows way of handling things. Apple has been less than stellar at this both with Safari and other software for Windows.
  
  Still, I think downloading files in Safari on OS X is still a lot better designed security concept than downloading files in Firefox on Windows. Firefox might be a more secure practical solution at this point though, because although their concept is not as secure, their code has been hammered on and tested a lot more resulting in a less buggy implementation.
3. Re:What a stupid vulnerability by tlhIngan · 2008-06-20 03:45 · Score: 3, Informative
  
  Apple's solution is to let things download, but put them in the downloads folder and flag them as untrusted content from the internet (well not flag them as trusted, since the default is untrusted). That is to say, that is their solution on OS X. On Windows, there is no download folder and for some reason they screwed up and did not flag it as untrusted in Vista (XP does not support that either). In my mind, their solution on OS X is superior, because it also helps solve the problem of executables masquerading as data.
  Actually, Windows has this as well.
  If you download a file using Internet Explorer, an NTFS file attribute is set that marks it as "downloaded - untrusted". Double click the file and you get a popup asking "DO you want to run this executable?" with a popup and showing the executable properties (signed by, etc). Problem is, it requires that you run NTFS, and if you copy the file to a network server, that network server to support extended attributes. Use Firefox or other browser, and the attribute isn't set, or copy to a fileserver that doesn't support extended attributes, and it's lost.
  (Most frustrating when you have to apply 12+ patches to a program that Microsoft Update doesn't have support for. I wrote a little bash script that shells out cmd.exe (was an MSI file) to do this, but you're still left with these popups).
  As for OS X, I believe these notifications started in Leopard. They too are extended attributes, I believe. Though I think OS X copies attributes to filesystems/servers that don't support them by using dotfiles, so copying the file around doesn't get rid of it. (It goes away after you've approved it, though. No reason why Apple couldn't figure out what flag IE sets and have Safari do same on Windows, either.
4. Re:What a stupid vulnerability by brunascle · 2008-06-20 03:47 · Score: 1
  
  If I click a link to download something, well obviously I want to download it. Clicking a second time to confirm is an annoyance.
  True, but that's not the only way to get it to download. As the proof of concept code showed, all you have to do is put it inside a hidden iframe. If I go directly to a url ending in .dll, this might be excusable, but definitely not with an iframe.
5. Re:What a stupid vulnerability by Shados · 2008-06-20 04:35 · Score: 2, Informative
  
  Actually, Vista -does- have a specific Download folder now, for the record.
6. Re:What a stupid vulnerability by Anonymous Coward · 2008-06-20 07:46 · Score: 0
  
  Actually, Windows has this as well.
  If you download a file using Internet Explorer, an NTFS file attribute is set that marks it as "downloaded - untrusted".
  It's not an attribute (at least how I typically think of an attribute) it's just a filesystem fork, known as ADS in NTFS parlance.
7. Re:What a stupid vulnerability by 99BottlesOfBeerInMyF · 2008-06-20 09:16 · Score: 1
  
  If you download a file using Internet Explorer, an NTFS file attribute is set that marks it as "downloaded - untrusted". Double click the file and you get a popup asking "DO you want to run this executable?"
  As I recall, that is true of Vista, but in XP only explorer knows about the flag, not the entire OS, so running it from the command line of via a script bypasses this... as does using windows explorer to autorun the files as in the demo.
  
  Use Firefox or other browser, and the attribute isn't set, or copy to a fileserver that doesn't support extended attributes, and it's lost.
  Firefox on Vista, currently does set the attribute for new files.
  
  No reason why Apple couldn't figure out what flag IE sets and have Safari do same on Windows, either.
  I know. I mentioned this specifically as something Apple should fix. I did point out, however, that on OS X, downloaded files from any application are set to this by default and developers need to figure out how to set a flag to override this. On Windows, downloaded files need to be set by each application and the default is to not flag them. Ignoring Safari and IE, this is an issue for all programs that download files and MS chose a poor default.
8. Re:What a stupid vulnerability by Ilgaz · 2008-06-21 02:19 · Score: 1
  
  Badly configured Web Servers are also very well known in Apple developer and user community. There are still people ZIPPING bz2 compressed disk image (DMG) around. Why? Because if Webserver isn't configured to handle DMG mime type, user gets it in plain text inside browser. Look to all those *.dmg.zip things, no they aren't illiterate, they know what will hit them randomly.
Did Microsoft fix the vulnerability in IE? by argent · 2008-06-20 01:34 · Score: 2, Insightful

Did Microsoft fix the vulnerability caused by Internet Explorer running with its current directory set to the Desktop and its library search path going through the Desktop? Because until they do that, the actual vulnerability in Windows that Safari made slightly easier to exploit still exists.
1. Re:Did Microsoft fix the vulnerability in IE? by The+End+Of+Days · 2008-06-20 02:16 · Score: 3, Insightful
  
  The actual vulnerability is that Safari downloaded files without the user's permission. Trying to make this a Windows issue smacks of fanboyism.
2. Re:Did Microsoft fix the vulnerability in IE? by mgblst · 2008-06-20 02:58 · Score: 1
  
  Sure, Microsoft will fix this, in about 2 years.
  I guess this proves how important they consider security these days. Does anybody still believe anything that they say? Yes, I really believe they have given up the fight over ODF.
3. Re:Did Microsoft fix the vulnerability in IE? by gad_zuki! · 2008-06-20 05:24 · Score: 3, Insightful
  
  How did safari even get on most of those computers. I think people are seriously missing the big issue here.
  Imagine if Netscape won the browser wars and you installed Windows Media Player which later on, in the middle of then night, downloaded and installed IE for you. If Office 2008 did this on OSX there would be riots in the street. When Apple does it, its of course Microsoft's fault.
  Granted, there's a lot of blame to go around, but claiming this is a MS problem is being pretty unfair and only shows up that Apple can do anything, and few will complain.
4. Re:Did Microsoft fix the vulnerability in IE? by argent · 2008-06-20 07:40 · Score: 1
  
  Imagine if Netscape won the browser wars and you installed Windows Media Player which later on, in the middle of then night, downloaded and installed IE for you.
  Except that iTunes didn't "in the middle of the night, download and install Safari".
  However Microsoft did force IE into Windows, using techniques that created many inherent security flaws that we are still battling 11 years later, this being one of them.
  Apple can do anything, and few will complain.
  When Apple fucks up, I'll be the first to complain. See An Open Letter to Apple (2004) and six subsequent articles pointing out that 'open "Safe" files after downloading' is a daft idea. It took them three years to figure that one out, and by the way if you are using Safari on OSX OR Windows, make sure that option is turned OFF.
  THAT is a security vulnerability that Apple is responsible for.
  IE executing files on the desktop if they happen to have the "right" name is all Microsoft's baby.
5. Re:Did Microsoft fix the vulnerability in IE? by konohitowa · 2008-06-20 09:33 · Score: 1
  
  So, you're saying that it's perfectly logical to expect IE to execute DLLs in my Desktop folder?
  To use your vernacular, trying to make this a Windows non-issue smacks of fanboyism.
Hmm? by koinu · 2008-06-20 01:38 · Score: 5, Insightful

Safari downloads files (e.g. dynamic libraries) in user directories where the Internet Explorer could autoload them on start. Isn't the bigger problem within Internet Explorer? Why did Microsoft setup a library path to a user's directory at all?
1. Re:Hmm? by CODiNE · 2008-06-20 05:06 · Score: 2, Interesting
  
  This issue has been avoided in UNIX systems for decades I believe. I remember when I was first learning about the command-line that I thought it was strange you couldn't just compile a new program and type $ a.out to launch it. That's because the current directory is not in the path. You have to type $ ./a.out to get the executable seen. The reason this is a system default is to prevent someone sneaking in a malicious copy of a system command such as ls into a directory where you'd accidentally use the fake one instead of the real one.
  
  --
  Cwm, fjord-bank glyphs vext quiz
Re:"Carpet bomb"? by gardyloo · 2008-06-20 01:46 · Score: 3, Funny

So if she's a squirter then you have an IED on your hands?
Damn... by PawNtheSandman · 2008-06-20 01:48 · Score: 3, Funny

All I know is if someone broke in my apartment and pissed all over my rug, I'd be pretty upset.
1. Re:Damn... by drumbug1 · 2008-06-20 02:19 · Score: 4, Funny
  
  All I know is if someone broke in my apartment and pissed all over my rug, I'd be pretty upset. unless you're the dude... he abides...
How long befoe Apple discontinues Safari for Win by Anonymous Coward · 2008-06-20 01:52 · Score: 0, Interesting

Seriously. They're not used to so many vulnerabilities. Eventually they'll be like, screw this insecure OS. We're only coding for our own.
Yes, the flaw is in IE. by argent · 2008-06-20 02:04 · Score: 4, Informative

Microsoft's library path ALWAYS goes through the current directory. For some obscure reason that IE icon on the Desktop, the one that isn't a shortcut but is actually something special Microsoft added back in 1997 to make it harder to remove IE, runs IE on the Desktop instead of in the IE install directory, the way it would if it was a shortcut.
It's all a side effect of Microsoft's shenanigans when they tried to use browser-desktop integration to make an end-run around their agreement with the US DoJ. That they've convinced people that the big news is a bug in Safari that makes it slightly easier to take advantage of this problem is, well, bizarre.
And now you know the rest of the story.
1. Re:Yes, the flaw is in IE. by Fast+Thick+Pants · 2008-06-20 03:06 · Score: 4, Interesting
  You can't get around this by avoiding the "special" IE icon, though. You can make a real shortcut, set the working directory to whatever you want, or even launch IE from its own program directory from a command prompt, and it will still consider the desktop to be the current directory.
  
  As a fun experiment,
  
  copy cmd.exe to the desktop and rename it to notepad.exe
  
  launch IE the "safest" way you can think up
  
  view page source
  
  YRMV, but in my tests with IE 6 and 7 in 2k and XP, it will launch the command prompt instead of notepad, and you can see the current directory and the stuff it prepends to the PATH variable.
  Until this is fixed in IE, I recommend copying notepad.exe and all your system .DLLs from the system32 directory onto each user's desktop, and use an ACL on each one to make sure your users do not have permission to overwrite them. No, seriously. (Or you could just use another browser.)
2. Re:Yes, the flaw is in IE. by argent · 2008-06-20 06:06 · Score: 2, Funny
  
  You can make a real shortcut, set the working directory to whatever you want, or even launch IE from its own program directory from a command prompt, and it will still consider the desktop to be the current directory.
  Whiskey Tango Foxtrot?
  Every time I think I'm being to hard on Microsoft, that I'm just being a cynical old fart, I come across something like this.
  Holy Mother of Turing, what were they thinking of?
3. Re:Yes, the flaw is in IE. by John+Whitley · 2008-06-20 06:55 · Score: 1
  Microsoft's library path ALWAYS goes through the current directory. This isn't true. If an application calls SetDllDirectory(), it overrides the search path. The order becomes:
  The directory the application loaded from.
  The directory specified as a parameter to SetDllDirectory()
  system directories (order elided)
  PATH directories (Worthy of an if-I-had-a-time-machine-shooting.)
  The above function is highly useful to force a single specified path (it takes ONE path, not a list) early into the DLL load search order. It's pretty much necessary to use this to avoid getting screwed by some fs!%!ing asshat installing a common third-party library into WINDOWS\System32.
  If you're stuck wrestling the Windows alligator, this should pretty much always be used instead of trying to play stupid PATH games. But from other posters reports, it seems that MS was too stupid to use one of the very functions they created to tame various DLL hell problems.
4. Re:Yes, the flaw is in IE. by John+Whitley · 2008-06-20 07:03 · Score: 1
  
  Apologies for the reply-to-self, but I forgot to mention another important special-case use of SetDllDirectory(): if passed the empty string, it removes the current directory from the DLL search path. So even if your app doesn't require some particular directory to be 'blessed', this call can still mitigate a variety of DLL-related risks.
5. Re:Yes, the flaw is in IE. by argent · 2008-06-20 07:25 · Score: 1
  
  Will that also override the application search path going through the current directory?
6. Re:Yes, the flaw is in IE. by Lars+T. · 2008-06-20 12:28 · Score: 1
  
  If Microsoft at least actually used the Attachment Execution Service they introduced in XP SP2 to check all kinds of executables.
  
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
7. Re:Yes, the flaw is in IE. by argent · 2008-06-20 12:32 · Score: 1
  
  What, you mean if I kill some service Windows will stop beabling at me about "do you really want to run this program you just downloaded"? Do tell!
8. Re:Yes, the flaw is in IE. by Lars+T. · 2008-06-21 01:50 · Score: 1
  
  What, you mean if I kill some service Windows will stop beabling at me about "do you really want to run this program you just downloaded"? Do tell!
  Just turn it into a DLL, or so it seems.
  
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
9. Re:Yes, the flaw is in IE. by Anonymous Coward · 2008-06-21 03:24 · Score: 0
  
  I'm not sure, but I think it's not the working directory that's really causing the problem here.
  Check this
  CWD on a recent system should be after system libraries, but "Directory from which the application loaded" is always first.
  I think IE launches from the desktop for some bizarre reason.
  Bad Microsoft! Bad!
Amazed at the hubris in these comments by brunes69 · 2008-06-20 02:25 · Score: 2, Insightful

While I am no Microsoft fan, I am amazed at the hubris of comments in this thread.
Surely anyone with half a brain HAS TO ADMIT that the Safari vulnerability is FAR WORSE than IE setting it's current path to the windows desktop.
In fact, the Safari vulnerability can be exploited for root access to the box without IE being in the equation AT ALL. Just pick some program or two that are likely to be installed on any user's computer ( iTunes, Firefox? ), and download .exe files with those names to the desktop. *BOOM*, next time someone wants to run iTunes or Firefox, if they click that exe by accident instead of their shortcut (how would they know any different? ), they're toast.
1. Re:Amazed at the hubris in these comments by 99BottlesOfBeerInMyF · 2008-06-20 02:55 · Score: 3, Interesting
  
  Surely anyone with half a brain HAS TO ADMIT that the Safari vulnerability is FAR WORSE than IE setting it's current path to the windows desktop.
  Certainly not for the average Slashdot user and arguably not for anyone. Safari won't overwrite a user's existing icons, just add new ones. I also opens a download manager so users know something is being added. There are some pretty ignorant users out there, but not many that won't take not that some random Web site is downloading something called "Firefox.exe" to their desktop with an icon that looks just like their Web browser's. Finally, I notice you use the present tense. The ability to do this in Safari has been fixed, whereas the flaw with Windows has not. So, yeah I'd say the flaw in Windows is currently a FAR WORSE vulnerability, as you put it.
  
  The main thing here, is the Safari flaw requires user interaction to work by itself, which means you have to manage a social engineering feat and get people to do something (double click and icon). With the flaw in Windows, any download from any source that they can get on a user's desktop can be automatically run.
2. Re:Amazed at the hubris in these comments by brunes69 · 2008-06-20 03:21 · Score: 1, Insightful
  
  Safari won't overwrite a user's existing icons, just add new ones. I also opens a download manager so users know something is being added. There are some pretty ignorant users out there, but not many that won't take not that some random Web site is downloading something called "Firefox.exe" to their desktop with an icon that looks just like their Web browser's
  This is a laugh an a half. I am pretty sure if I took an informal survey of my acquaintances many would not even know what a download manager was if I asked them. People nowadays just instinctively close the download manager window, both in Firefox and Safari. I have seen it in action many, many times. No one would even know what was downloaded, or care.
  The main thing here, is the Safari flaw requires user interaction to work by itself, which means you have to manage a social engineering feat and get people to do something (double click and icon).
  Like I said before, there is no social engineering required *AT ALL*. Just pick a common application name and odds are they already have it installed and it *WILL* be clicked.
  With the flaw in Windows, any download from any source that they can get on a user's desktop can be automatically run.
  Yeah, except for the fact that aside from the former Safari flaw there *IS NO WAY* to do this with any of the top web browsers, they all prompt for confirmation before downloading a file.
  I am going to go out on a limb here and even argue on MS's side, in that IMO, this is not an IE flaw at all. No one should give a rat's ass what the working directory of any application is because it can be changed at will anyway - that is the whole point of a "working directory". If your security model relies on the fact that an application never has the working directory set to an alternate location, then you have big problems.
  Namely, you should not be storing .EXE or .DLL file son your desktop for any reason REGARDLESS of this IE attribute, because any program could have it's working directory set as the desktop at any given time - it all depends on how the program was launched. For example, if you hit WIN+R and type 'CMD", the desktop is your default working directory. Run *ANY* program and it now might load those rogue DLLs. Do all those other programs have security holes as well now??? Or is this perhaps just because IE is an MS product?
3. Re:Amazed at the hubris in these comments by Fast+Thick+Pants · 2008-06-20 03:22 · Score: 1
  
  There's plenty of face-egg to go around. Safari's drive-by download functionality is certainly idiotic, but it's just plain dangerous to have the user desktop be the place for 1) program shortcuts 2) random crap that tends to appear automatically and pile up with or without Safari's help (and, in the default config, with file extensions hidden) and 3) the built-in unremovable web browser to try to load libraries from, even though there's not the slightest reason that library files should ever be there.
4. Re:Amazed at the hubris in these comments by Anonymous Coward · 2008-06-20 03:24 · Score: 0
  
  Certainly not for the average Slashdot user That's rather goofy to say, given that a lot of comments are people speaking on issues they appear to know nothing about.
  arguably not for anyone Please tell me how it is acceptable that this exploit happens. You are fully aware that this would be the bitchfest of the century if IE had this flaw.
  The main thing here, is the Safari flaw requires user interaction to work by itself, which means you have to manage a social engineering feat and get people to do something (double click and icon). That is pretty easy to do when you're tired - click the wrong FF icon or whatever. Boom, game over, you just got owned. The blame shifting game that both companies played is unacceptable. There is a problem, both parties should at least assist in working toward a resolution.
5. Re:Amazed at the hubris in these comments by koinu · 2008-06-20 03:25 · Score: 1
  
  While I am no Microsoft fan, I am amazed at the hubris of comments in this thread.
  Well, imagine... I hate Apple and still: this is weird!
  Safari vulnerability can be exploited for root access to the box without IE being in the equation AT ALL.
  And I can tell you that, on the other hand, it will work even without Safari involved. Simply placing a DLL on a desktop will autoload it when Internet Explorer starts. This is exactly as stupid as having "." in path environment variable. Let's think about it a moment... how many applications, tools and programs have access to a user's desktop?
  But hey... it's Microsoft... who the hell understands their "security" ideas?
6. Re:Amazed at the hubris in these comments by Fast+Thick+Pants · 2008-06-20 03:30 · Score: 1
  
  For example, if you hit WIN+R and type 'CMD", the desktop is your default working directory.
  No, it's your user directory, one level up from your desktop. Much harder for crap to end up there by accident, though it does happen (fools are ingenious, etc.)
  
  Running from the WIN+R prompt searches the path like it should, and will not run things from the desktop unless it's been added to the path.
7. Re:Amazed at the hubris in these comments by keytoe · 2008-06-20 04:13 · Score: 1
  
  I am going to go out on a limb here and even argue on MS's side, in that IMO, this is not an IE flaw at all. No one should give a rat's ass what the working directory of any application is because it can be changed at will anyway - that is the whole point of a "working directory". If your security model relies on the fact that an application never has the working directory set to an alternate location, then you have big problems.
  I agree 100%. In fact, I'll go one step further and say that any application that blindly loads and executes code from the current working directory is a security nightmare waiting to happen.
  
  --
  Culture is more than commerce
8. Re:Amazed at the hubris in these comments by ProfessionalCookie · 2008-06-20 06:11 · Score: 1
  
  Which brings up two other points. Whose idea was it to download to the desktop anyway?? Maybe to a downloads folder on the desktop . . but man what a bad idea.
  
  Almost as bad as having the desktop be a swamp of shortcuts to programs. Start menu anyone? Windows desktops of the average user remind me heavily of MySpace.
9. Re:Amazed at the hubris in these comments by ProfessionalCookie · 2008-06-20 06:15 · Score: 1
  
  People nowadays just instinctively close the download manager window, both in Firefox and Safari.
  Now I agree with your point that we need to imporve buy is that the same way that people click Save File in IE/Firefox or are we talking about different instincts?
10. Re:Amazed at the hubris in these comments by 99BottlesOfBeerInMyF · 2008-06-20 09:09 · Score: 1
  
  This is a laugh an a half. I am pretty sure if I took an informal survey of my acquaintances many would not even know what a download manager was if I asked them. People nowadays just instinctively close the download manager window, both in Firefox and Safari.
  Maybe they don't now the name, but most know what the little window showing their downloads is and even if they click to close it, they still know it is happening and see the icon. It certainly is not any more a conditioned response to close it than it is to click through the warning in Firefox.
  
  Like I said before, there is no social engineering required *AT ALL*. Just pick a common application name and odds are they already have it installed and it *WILL* be clicked.
  That is social engineering. You're tricking people into thinking it is a different program than it is. In order for it to work, you have to guess what application shortcuts they have on their desktop (if they have any), including the right icon.
  
  Yeah, except for the fact that aside from the former Safari flaw there *IS NO WAY* to do this with any of the top web browsers, they all prompt for confirmation before downloading a file.
  So what? People just click past them as often as not and they can even disguise the program as data with a clever name.
  
  I am going to go out on a limb here and even argue on MS's side, in that IMO, this is not an IE flaw at all.
  Automatically running a program without the user explicitly requesting that, just because it is on the desktop? Please. How often is that useful, compared to the risk it presents? That is a serious flaw.
  
  If your security model relies on the fact that an application never has the working directory set to an alternate location, then you have big problems.
  It's not security relying upon it. It is Windows making an exception and auto-running things from their default location for new files. That's just stupid.
  
  Namely, you should not be storing .EXE or .DLL file son your desktop for any reason
  Why not? Using the desktop metaphor and the fact that most users store things on their desktop and that shortcuts to programs are on the desktop, why would you expect a normal user to not store said files on the desktop?
11. Re:Amazed at the hubris in these comments by Lars+T. · 2008-06-20 12:36 · Score: 1
  
  And BOOOOOOM, Windows will warn you that you are trying to run software downloaded from the Internet. Well, if you click through that, you'll also click through "Do you really really really want to download Firefox.exe".
  
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
12. Re:Amazed at the hubris in these comments by Lars+T. · 2008-06-20 12:39 · Score: 1
  
  Which brings up two other points. Whose idea was it to download to the desktop anyway?? Firefox? That's been the default download folder for, well, ever.
  
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
13. Re:Amazed at the hubris in these comments by argent · 2008-06-20 12:52 · Score: 1
  
  Whose idea was it to download to the desktop anyway?
  Firefox? ...
  Firefox hasn't been around that long. Netscape/Mosaic? Mosaic certainly didn't used to do that, because on the OS it was first written for there usually WASN'T a desktop back then... and Netscape used a download manager...
14. Re:Amazed at the hubris in these comments by Anonymous Coward · 2008-06-20 16:25 · Score: 0
  
  I am going to go out on a limb here and even argue on MS's side, in that IMO, this is not an IE flaw at all. No one should give a rat's ass what the working directory of any application is because it can be changed at will anyway - that is the whole point of a "working directory". If your security model relies on the fact that an application never has the working directory set to an alternate location, then you have big problems. Obviously current working directory is not a security feature, dumbass. The problem is the DEFAULT INCLUSION OF THE WORKING DIRECTORY, OR _ANY_ USER-WRITABLE DIRECTORY IN EITHER (in this case both) THE PATH OR LINKER SEARCH PATHS.
  This is an underlying Windows problem.
  The contents of the PATH are pretty much irrelevant in a GUI, but fuck, the linker path? Are you that naive?
  Microsoft knows how fucked up this is, and attempted to correct it in 2000 SP4/XP.
  HOWEVER, you may notice that "The directory from which the application loaded." is still first, and for IE this is bizarrely the Desktop.
  UNIX folks, if having "." in your PATH scares you, imagine Windows-land where until recently, "." was in your LDPATH... right after whichever bin directory the executable was in, and before all system lib paths. It gets better, imagine if the single most Internet-exposed application on your system ran with LDPATH/LD_LIBRARY_PATH="~/Desktop: ..." by default.
  I hope that paints a pretty clear picture of how bad this is. Windows users, God help you.
Re:Steve Jobs is a Cunt by mini+me · 2008-06-20 03:07 · Score: 1

Except Safari follows future standards (CSS 3, for example) instead of making up it's own random "standards" like IE 6 did.
You are both right. by nobodyman · 2008-06-20 03:08 · Score: 2, Informative

It isn't a mutually exclusive situation. There are two disparate vulnerabilities here. By themselves they aren't that big of a threat , but when used in concert the threat is greater than the sum of it's parts. You need the IE issue to load the compromised dll and you need Safari in order to "secretly" download the compromised dll in the first place.
1. Re:You are both right. by The+End+Of+Days · 2008-06-20 04:38 · Score: 1
  
  All a malicious website needs to do is push some sort of malware to the user's desktop, then wait and hope they run it. There is no requirement for IE to do anything, that just happens to be a path to another vulnerability that can increase the danger from this one.
  Simply throwing a file on the desktop with a familiar icon and a malicious payload would be enough to get a number of users to click it. Bam, compromised.
Windows untrusted attribute in Firefox 3 by tepples · 2008-06-20 03:58 · Score: 1

Use Firefox or other browser, and the attribute isn't set I've been using Firefox 3 release candidates, and they seem to set the attribute on my machine running Windows XP Service Pack 3. Are you talking about Firefox 2?
1. Re:Windows untrusted attribute in Firefox 3 by The+MAZZTer · 2008-06-20 08:56 · Score: 1
  
  He probably is. Gotta wonder if he's been living under a rock for the whole Download Day thing.
Ever since Bill "succeeded" ... by Joseph_Daniel_Zukige · 2008-06-20 06:01 · Score: 1

More and more managers are behaving as if following the example of the Bill & Steve act is actually good business.
Nothing new about it, read about it in the history of Rome and earlier, as far back as we can read history about nations warring against each other, in fact.
Money is like pus. It collects at wounds, and collects faster at dirty wounds.
The actual vulnerability is in IE. by argent · 2008-06-20 06:23 · Score: 3, Interesting

The actual vulnerability is that Safari downloaded files without the user's permission.
Asking for permission before doing something that may potentially lead to a security exploit is no protection at all. Seriously. In the eight years between the time Microsoft introduced the browser-desktop merge, and the time I quit being a system admin and went back to programming, I had many many cases where some user (and these weren't dumb users, these were engineers and programmers with PhDs and patents to their name) would come to me and say "Peter, I just clicked the wrong button again, and I think I have a virus". That "again" is important. That means that they have the "Windows pops up stupid dialogs all the time so I have to approve this one" reflex burned into their cortex.
A user is not going to realize that a web page asking to download "someobscuregibberish.dll" is attacking them.
Stupid permission dialogs are no protection.
The actual vulnerability is twofold:
1. The path goes through the current directory by default, and it goes through the current directory first.
This is something that UNIX used to do, and it was widely recognized as a BAD idea by 1980. MS-DOS wasn't even out yet, let alone Windows.
2. The default download directory is the default directory of any program, let alone a program that is run virtually every time you log in.
This one is, well, beyond stupid. This is like having the mailslot in your front door connect to your safe deposit box. The directory that is MOST likely to contain malicious code is the one that you're MOST likely to be running code from on any given day.
Trying to make this a Windows issue smacks of fanboyism.
Name one other operating system or application where downloading files to the default download folder would cause them to be run, under any normal circumstances. The whole idea is completely insane.
1. Re:The actual vulnerability is in IE. by The+End+Of+Days · 2008-06-20 14:06 · Score: 1
  
  All very well and good, and the completely unrelated vulnerability in IE should also be fixed. But that still has nothing to do with the Safari vulnerability. Your deflection skills are weak.
Mod me redundant by Joseph_Daniel_Zukige · 2008-06-20 06:24 · Score: 1

Even though someone else said it already, I'm going to try to make it glaringly obvious for all the mods that modded you up insightful or whatever --
In the unix world, we learned a long time ago not to put the home directory or the current working directory in the default executable path variable. The reasons were known before MS-Dos was a product, although there were still some *nix products from the less savvy vendors that had .profile put "." in "$PATH" when MSWindows95 became a product.
Reputable *nix vendors have had that fixed for at least a decade.
There is only one MSWindwsXXX vendor, and they still leave the path effectively set up to include a place where downloading, drive-by or otherwise, tends to drop things.
That's a no-no for all the user-clicks-through reasons being cited.
Safari's bug was just a Denial-Of-Service type of bug without this design flaw in MSWindows.
The IE flaw is a threat even without Safari. by argent · 2008-06-20 06:26 · Score: 2, Interesting

By themselves they aren't that big of a threat
Um, yes, the IE flaw *is* that big of a threat. There is no circumstance where it should EVER be acceptable for a downloaded file, whether with permissions or not (who other than a geek is going to worry about downloading a file called "somethingobscure.dll"?), to be AUTOMATICALLY executed just because of the name it's given.
I hope Microsoft fixes it bloody quick.
3 decades, to be precise... by argent · 2008-06-20 08:22 · Score: 1

We had regular warnings about not adding "." to $PATH when I was at Berkeley... in 1978.
Re:Steve Jobs is a Cunt by konohitowa · 2008-06-20 09:40 · Score: 1

The fact that I'm replying at all is a testament to the quality of the ACs troll.
I just spent 2 hours getting div transparencies to work with IE 6. The Safari and Firefox portions took a few minutes. Getting it to work in IE6 was a royal pain. To compound the problem, IE6 also doesn't support PNG alpha channels.
With any luck, IE6 will go the way of the dodo bird soon enough and I won't have to worry about it anymore.
Social engineering automatic execution. by argent · 2008-06-20 12:47 · Score: 1

Just pick some program or two that are likely to be installed on any user's computer ( iTunes, Firefox? ), and download .exe files with those names to the desktop. *BOOM*, next time someone wants to run iTunes or Firefox, if they click that exe by accident instead of their shortcut (how would they know any different? ), they're toast.
This is called a "social engineering attack".
You don't need Safari to do this. People have been "phished" by this kind of attack as long as there have been desktop operating systems.
The thing is, you can learn not to be social engineered.
If you can stick a file some place the *operating system* trusts it, however, even if the user gets asked "is it OK for me to download obscurecrap.dll", you're home free. And it's a LOT easier to social-engineer people to approve a dialog than to get them to click on the wrong icon... particularly when more people will notice a second iTunes icon on the desktop than give "obscurecrap" a second glance.
Social engineering attacks are FAR less dangerous than automatic execution ones.
But while I think about it... that business of hiding the file type, Microsoft? How about you don't do that, OK? It makes phishing easier. Oh, you too Apple, I'm looking at you as well.
Oh, and Microsoft, what kind of fucked up idea was it to make the desktop the default download location in the first place? That didn't used to be standard, I used to find that stuff in a "downloads" folder, but everyone copies you even when you're doing something really stupid like that.
What do you think "social engineering" means? by argent · 2008-06-20 13:02 · Score: 1

Like I said before, there is no social engineering required *AT ALL*. Just pick a common application name and odds are they already have it installed and it *WILL* be clicked.
What do you think social engineering *means*?
You CAN learn not to be social engineered.
It's a LOT harder to learn when it's OK to approve one of Windows myriad stupid "security theatre" dialogs.
In the decade that I was a WIndows network admin, I would ROUTINELY have people who came by and say "peter, I clicked on the wrong button again and I think I have a virus". That again is critical.
I've also had people say they'd been tricked into running a program (from the desktop in some cases, back when there was less paranoia about downloads) but only one person was ever caught that way twice.
Clicking "OK" when the computer pops up "Internet Explorer wants to detonate your monitor"? You bet. That's a passive response to a dialog they've been trained to approve. Running a program, even when it was disguised as a document or another kind of icon (because the kind of attack you're talking about is NOT new)? That's a lot harder to depend on.
Almost everyone CAN learn not to be social-engineered, once you eliminate that reflex reaction.
PS... by argent · 2008-06-20 13:08 · Score: 1

For example, if you hit WIN+R and type 'CMD", the desktop is your default working directory.
Wrong. It's your profile, the parent directory of your desktop.
And virtually no GUI applications on Windows EVER change their current working directory.
No one should give a rat's ass what the working directory of any application is
True. The current working directory should not be in the search path for applications or DLLs.
Namely, you should not be storing .EXE or .DLL file son your desktop for any reason
Wrong. That is depending on not having dangerous stuff in your current working directory. If the downloads were to %PROFILE%\Downloads then you'd be in trouble if you ran a program from that directory.
Again, and UNIX developers figured this one out back before Microsoft shipped copy #1 of MS-DOS, the current directory should not be in any executable search path.
How windows handles files... by Ilgaz · 2008-06-21 02:30 · Score: 1

I am subscribed to Apple security mailing list, I recommend it to everyone. It is less BS, plain text alert about anything related to security update released from Apple. They mail immediately too even beating software update. It is both for OS X and Windows.
http://lists.apple.com/mailman/listinfo/security-announce
I noticed something really bothers me as OS X only user:
http://lists.apple.com/archives/Security-announce/2008/Jun/msg00001.html
"Impact: Saving untrusted files to the Windows desktop may lead to
the execution of arbitrary code
Description: An issue exists in how the Windows desktop handles
executables. Saving an untrusted file to the Windows desktop may
trigger the issue, and lead to the execution of arbitrary code."
No, Windows Desktop always running something based on its extension is not an issue, it is how Windows works. Is it backwards? Well, it is but it is THEIR OS. Should MS add "This is executable" to some OS X file (via Unix perm or Resource and extension) and blame Apple like "An issue exists how OS X handles files" for their fault?
It is understandable for a company like Apple to let PR team do the final edit on security bulletins but they shouldn't use it like a childish way like that. At least on security list. Also putting Windows issues to first "page" and OS X issues to down below is a real cheap trick. Not on that message, it happened several times when multiple OS issues have arisen.
Mod parent down. by Anonymous Coward · 2008-06-21 03:36 · Score: 0

+4 Insigh... WHAT?
The bigger vulnerability is an internet facing application with the user's desktop (first) in it's library search path.
Jesus Tap Dancing Christ how can you all miss this?
Most of you know PATH="." is bad right? Well, if you don't, get off Slashdot NOW.
Windows used to have this equivalent:
LDPATH="$PATH: .: /lib/usr/lib"
In XP on it's now
LDPATH="$PATH: /lib/usr/lib: ."
Well, at least the user writable directory is last..
Now imagine that Firefox runs with LDPATH="~/Desktop: /lib/usr/lib: ."
HOW CAN THAT NOT BE HORRIBLY, HORRIBLY BAD?
Mod this joker down.