Apple Fixes Safari "Carpet Bomb" Windows Vulnerability

Titoxd writes "Apple has released a new version of Safari that fixes the carpet bomb vulnerability in Safari 3.1 for Windows. This comes in the heels of Microsoft recommending against using Safari in Windows, as well as the release of code exploiting this vulnerability."

How long befoe Apple discontinues Safari for Win

Seriously. They're not used to so many vulnerabilities. Eventually they'll be like, screw this insecure OS. We're only coding for our own.

Re:Amazed at the hubris in these comments

[99BottlesOfBeerInMyF]

Surely anyone with half a brain HAS TO ADMIT that the Safari vulnerability is FAR WORSE than IE setting it's current path to the windows desktop.

Certainly not for the average Slashdot user and arguably not for anyone. Safari won't overwrite a user's existing icons, just add new ones. I also opens a download manager so users know something is being added. There are some pretty ignorant users out there, but not many that won't take not that some random Web site is downloading something called "Firefox.exe" to their desktop with an icon that looks just like their Web browser's. Finally, I notice you use the present tense. The ability to do this in Safari has been fixed, whereas the flaw with Windows has not. So, yeah I'd say the flaw in Windows is currently a FAR WORSE vulnerability, as you put it.

The main thing here, is the Safari flaw requires user interaction to work by itself, which means you have to manage a social engineering feat and get people to do something (double click and icon). With the flaw in Windows, any download from any source that they can get on a user's desktop can be automatically run.

Re:Yes, the flaw is in IE.

[Fast+Thick+Pants]

You can't get around this by avoiding the "special" IE icon, though. You can make a real shortcut, set the working directory to whatever you want, or even launch IE from its own program directory from a command prompt, and it will still consider the desktop to be the current directory.

As a fun experiment,

• copy cmd.exe to the desktop and rename it to notepad.exe
• launch IE the "safest" way you can think up
• view page source

YRMV, but in my tests with IE 6 and 7 in 2k and XP, it will launch the command prompt instead of notepad, and you can see the current directory and the stuff it prepends to the PATH variable.

Until this is fixed in IE, I recommend copying notepad.exe and all your system .DLLs from the system32 directory onto each user's desktop, and use an ACL on each one to make sure your users do not have permission to overwrite them. No, seriously. (Or you could just use another browser.)

Re:Hmm?

[CODiNE]

This issue has been avoided in UNIX systems for decades I believe. I remember when I was first learning about the command-line that I thought it was strange you couldn't just compile a new program and type $ a.out to launch it. That's because the current directory is not in the path. You have to type $ ./a.out to get the executable seen. The reason this is a system default is to prevent someone sneaking in a malicious copy of a system command such as ls into a directory where you'd accidentally use the fake one instead of the real one.

The actual vulnerability is in IE.

[argent]

The actual vulnerability is that Safari downloaded files without the user's permission.

Asking for permission before doing something that may potentially lead to a security exploit is no protection at all. Seriously. In the eight years between the time Microsoft introduced the browser-desktop merge, and the time I quit being a system admin and went back to programming, I had many many cases where some user (and these weren't dumb users, these were engineers and programmers with PhDs and patents to their name) would come to me and say "Peter, I just clicked the wrong button again, and I think I have a virus". That "again" is important. That means that they have the "Windows pops up stupid dialogs all the time so I have to approve this one" reflex burned into their cortex.

A user is not going to realize that a web page asking to download "someobscuregibberish.dll" is attacking them.

Stupid permission dialogs are no protection.

The actual vulnerability is twofold:

1. The path goes through the current directory by default, and it goes through the current directory first.

This is something that UNIX used to do, and it was widely recognized as a BAD idea by 1980. MS-DOS wasn't even out yet, let alone Windows.

2. The default download directory is the default directory of any program, let alone a program that is run virtually every time you log in.

This one is, well, beyond stupid. This is like having the mailslot in your front door connect to your safe deposit box. The directory that is MOST likely to contain malicious code is the one that you're MOST likely to be running code from on any given day.

Trying to make this a Windows issue smacks of fanboyism.

Name one other operating system or application where downloading files to the default download folder would cause them to be run, under any normal circumstances. The whole idea is completely insane.

The IE flaw is a threat even without Safari.

[argent]

By themselves they aren't that big of a threat

Um, yes, the IE flaw *is* that big of a threat. There is no circumstance where it should EVER be acceptable for a downloaded file, whether with permissions or not (who other than a geek is going to worry about downloading a file called "somethingobscure.dll"?), to be AUTOMATICALLY executed just because of the name it's given.

I hope Microsoft fixes it bloody quick.