Apple Fixes Safari "Carpet Bomb" Windows Vulnerability

Titoxd writes "Apple has released a new version of Safari that fixes the carpet bomb vulnerability in Safari 3.1 for Windows. This comes in the heels of Microsoft recommending against using Safari in Windows, as well as the release of code exploiting this vulnerability."

But did they fix the real bug?

[rustalot42684]

Did they fix the bug where Safari installs as an iTunes update? I'd say that that is a fairly severe bug right there.

Re:But did they fix the real bug?

[99BottlesOfBeerInMyF]

Last I checked the "new" software was still checked by default - and I really don't feel like installing anything that ASU comes with right now. So does anyone know if they finally fix THAT idiocy?

Why would they need to "fix" it. It is operating as they prefer it, the same as all the software MS includes in Windows that most of us would prefer we did not have to install. Is it so difficult for you to uncheck that box if you're performing an update?

Re:But did they fix the real bug?

[torchdragon]

Yes.

Recently, the Java update software has begun asking for the Open Office installer to be installed on the system during an update for Java. Several users at my company have clicked straight through and added more crap to their desktop/registry/uninstall information.

Can we blame the users for not reading every detail and not unchecking a checkbox? Yes.
Can we also blame software vendors who are relying on the aforementioned user behavior to add their software to your computer on the sly? Yes.

Its a bad practice and it needs to stop.

If something is required for the operation of a software package, default to selected.
If something is optional or not required for the operation of a software package, default to unselected.

Why are we allowing marketing to override good engineering?

Re:But did they fix the real bug?

[lusiphur69]

The real question is why are you defending Apple's unethical bundling - when the same is performed by Microsoft we criticize it. Call a spade a spade or you look foolish. Face it, this kind of practice is unacceptable, whether or not it comes from your favorite company.

Is it so difficult for you to uncheck that box if you're performing an update? For me, no. For millions of uneducated end users, it is. Get it?

Re:But did they fix the real bug?

[Calibax]

I guess it's about as unethical as Microsoft forcing IE7 on all users who use automatic updates. If fact, Microsoft forces new stuff all the time this way.

Not defending it - just saying that Apple, Microsft and Sun all do this, so don't single out Apple as being unethical in this manner.

Re:But did they fix the real bug?

No, it isn't like that. IE7 is an upgrade to something already installed and, to most end-users, in use. Safari is an entirely new piece of software. There's a difference, whether you like it or not.

Re:But did they fix the real bug?

[Calibax]

Nevertheless, IE7 broke a bunch of stuff at my company. The IT folks spent a considerable amount of time and and energy getting everything on the intranet working with it.

I would strongly argue that IE7 was a new product with a similar name, and not an upgrade.

What a stupid vulnerability

[sakdoctor]

It's pretty common that some badly configured web server will send content to me that firefox will then ask if I want to download.

Just letting it download and then moving on to the next file is...well such an obviously stupid behaviour.

Also, please don't let carpet bombing become the next security buzzword along with bricking and zero-day.

Did Microsoft fix the vulnerability in IE?

[argent]

Did Microsoft fix the vulnerability caused by Internet Explorer running with its current directory set to the Desktop and its library search path going through the Desktop? Because until they do that, the actual vulnerability in Windows that Safari made slightly easier to exploit still exists.

Re:Did Microsoft fix the vulnerability in IE?

[The+End+Of+Days]

The actual vulnerability is that Safari downloaded files without the user's permission. Trying to make this a Windows issue smacks of fanboyism.

Re:Did Microsoft fix the vulnerability in IE?

[gad_zuki!]

How did safari even get on most of those computers. I think people are seriously missing the big issue here.

Imagine if Netscape won the browser wars and you installed Windows Media Player which later on, in the middle of then night, downloaded and installed IE for you. If Office 2008 did this on OSX there would be riots in the street. When Apple does it, its of course Microsoft's fault.

Granted, there's a lot of blame to go around, but claiming this is a MS problem is being pretty unfair and only shows up that Apple can do anything, and few will complain.

Hmm?

[koinu]

Safari downloads files (e.g. dynamic libraries) in user directories where the Internet Explorer could autoload them on start. Isn't the bigger problem within Internet Explorer? Why did Microsoft setup a library path to a user's directory at all?

Amazed at the hubris in these comments

[brunes69]

While I am no Microsoft fan, I am amazed at the hubris of comments in this thread.

Surely anyone with half a brain HAS TO ADMIT that the Safari vulnerability is FAR WORSE than IE setting it's current path to the windows desktop.

In fact, the Safari vulnerability can be exploited for root access to the box without IE being in the equation AT ALL. Just pick some program or two that are likely to be installed on any user's computer ( iTunes, Firefox? ), and download .exe files with those names to the desktop. *BOOM*, next time someone wants to run iTunes or Firefox, if they click that exe by accident instead of their shortcut (how would they know any different? ), they're toast.

Re:Amazed at the hubris in these comments

[brunes69]

Safari won't overwrite a user's existing icons, just add new ones. I also opens a download manager so users know something is being added. There are some pretty ignorant users out there, but not many that won't take not that some random Web site is downloading something called "Firefox.exe" to their desktop with an icon that looks just like their Web browser's

This is a laugh an a half. I am pretty sure if I took an informal survey of my acquaintances many would not even know what a download manager was if I asked them. People nowadays just instinctively close the download manager window, both in Firefox and Safari. I have seen it in action many, many times. No one would even know what was downloaded, or care.

The main thing here, is the Safari flaw requires user interaction to work by itself, which means you have to manage a social engineering feat and get people to do something (double click and icon).

Like I said before, there is no social engineering required *AT ALL*. Just pick a common application name and odds are they already have it installed and it *WILL* be clicked.

With the flaw in Windows, any download from any source that they can get on a user's desktop can be automatically run.

Yeah, except for the fact that aside from the former Safari flaw there *IS NO WAY* to do this with any of the top web browsers, they all prompt for confirmation before downloading a file.

I am going to go out on a limb here and even argue on MS's side, in that IMO, this is not an IE flaw at all. No one should give a rat's ass what the working directory of any application is because it can be changed at will anyway - that is the whole point of a "working directory". If your security model relies on the fact that an application never has the working directory set to an alternate location, then you have big problems.

Namely, you should not be storing .EXE or .DLL file son your desktop for any reason REGARDLESS of this IE attribute, because any program could have it's working directory set as the desktop at any given time - it all depends on how the program was launched. For example, if you hit WIN+R and type 'CMD", the desktop is your default working directory. Run *ANY* program and it now might load those rogue DLLs. Do all those other programs have security holes as well now??? Or is this perhaps just because IE is an MS product?