Slashdot Mirror
Apple Fixes Safari "Carpet Bomb" Windows Vulnerability
Titoxd writes "Apple has released a new version of Safari that fixes the carpet bomb vulnerability in Safari 3.1 for Windows. This comes in the heels of Microsoft recommending against using Safari in Windows, as well as the release of code exploiting this vulnerability."
Microsoft's library path ALWAYS goes through the current directory. For some obscure reason that IE icon on the Desktop, the one that isn't a shortcut but is actually something special Microsoft added back in 1997 to make it harder to remove IE, runs IE on the Desktop instead of in the IE install directory, the way it would if it was a shortcut.
It's all a side effect of Microsoft's shenanigans when they tried to use browser-desktop integration to make an end-run around their agreement with the US DoJ. That they've convinced people that the big news is a bug in Safari that makes it slightly easier to take advantage of this problem is, well, bizarre.
And now you know the rest of the story.
np: Seabear - Sailors Blue (The Ghost That Carried Us Away)
"I'm not anti-anything, I'm anti-everything, it fits better." - Sole
It isn't a mutually exclusive situation. There are two disparate vulnerabilities here. By themselves they aren't that big of a threat , but when used in concert the threat is greater than the sum of it's parts. You need the IE issue to load the compromised dll and you need Safari in order to "secretly" download the compromised dll in the first place.
I disagree. If I click a link to download something, well obviously I want to download it. Clicking a second time to confirm is an annoyance. Apple's solution is to let things download, but put them in the downloads folder and flag them as untrusted content from the internet (well not flag them as trusted, since the default is untrusted). That is to say, that is their solution on OS X. On Windows, there is no download folder and for some reason they screwed up and did not flag it as untrusted in Vista (XP does not support that either). In my mind, their solution on OS X is superior, because it also helps solve the problem of executables masquerading as data. It means I can download a picture without any extra clicking and when I open it, I know it is just a picture. When I download an executable and then run it, I get a warning that it is a new executable (thus informing me it isn't data). I also get a link to open up the originating page so if it was downloaded a while ago, I can go see if it was something I wanted or a drive-by download or a trojan I thought was data at the time I downloaded it. From a larger perspective, I think it makes more sense to handle this type of solution at the OS level, since there are so many different programs that download files. It is better to have one good, consistent solution than a bunch of different ones of different quality levels. This fix from Apple is actually a work-around for Windows lack of support for Apple's better (IMHO) solution.
That is not to say everything is kosher. As far as I know Apple still isn't flagging executables as new on Vista where they stupidly default to trusted. Apple should have had a limit on the number of automatic downloads in response to a click or page load (probably one file) instead of letting one link download a dozen or more files. Apple also should have looked more closely at the way Windows works and tuned their solution from the start. One of the biggest problems with Safari on Windows is that it is a port and Apple has to recreate bits of OS X that Windows is missing as well as work around weird flaws in the Windows way of handling things. Apple has been less than stellar at this both with Safari and other software for Windows.
Still, I think downloading files in Safari on OS X is still a lot better designed security concept than downloading files in Firefox on Windows. Firefox might be a more secure practical solution at this point though, because although their concept is not as secure, their code has been hammered on and tested a lot more resulting in a less buggy implementation.
Actually, Windows has this as well.
If you download a file using Internet Explorer, an NTFS file attribute is set that marks it as "downloaded - untrusted". Double click the file and you get a popup asking "DO you want to run this executable?" with a popup and showing the executable properties (signed by, etc). Problem is, it requires that you run NTFS, and if you copy the file to a network server, that network server to support extended attributes. Use Firefox or other browser, and the attribute isn't set, or copy to a fileserver that doesn't support extended attributes, and it's lost.
(Most frustrating when you have to apply 12+ patches to a program that Microsoft Update doesn't have support for. I wrote a little bash script that shells out cmd.exe (was an MSI file) to do this, but you're still left with these popups).
As for OS X, I believe these notifications started in Leopard. They too are extended attributes, I believe. Though I think OS X copies attributes to filesystems/servers that don't support them by using dotfiles, so copying the file around doesn't get rid of it. (It goes away after you've approved it, though. No reason why Apple couldn't figure out what flag IE sets and have Safari do same on Windows, either.
Actually, Vista -does- have a specific Download folder now, for the record.