Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Fixes Safari "Carpet Bomb" Windows Vulnerability

Posted by kdawson on from the no-more-carpet-tax dept.

Titoxd writes "Apple has released a new version of Safari that fixes the carpet bomb vulnerability in Safari 3.1 for Windows. This comes in the heels of Microsoft recommending against using Safari in Windows, as well as the release of code exploiting this vulnerability."

12 of 99 comments (clear)

  1. You mean? by Centurix · · Score: 5, Funny

    You think the carpet bombers did this?
    Face it man, that rug really tied the room together...

    --
    Task Mangler
  2. I installed the update... by Anonymous Coward · · Score: 4, Funny

    And my computer rebooted into OS X. Not that I mind, really.

  3. But did they fix the real bug? by rustalot42684 · · Score: 5, Insightful

    Did they fix the bug where Safari installs as an iTunes update? I'd say that that is a fairly severe bug right there.

    1. Re:But did they fix the real bug? by tokul · · Score: 5, Informative

      Did they fix the bug where Safari installs as an iTunes update?
      New (released more than one month ago) Apple Software Update has two sections. One for updates and other for new software. When Safari was introduced, Software Update had only one section.
    2. Re:But did they fix the real bug? by 99BottlesOfBeerInMyF · · Score: 4, Insightful

      Last I checked the "new" software was still checked by default - and I really don't feel like installing anything that ASU comes with right now. So does anyone know if they finally fix THAT idiocy?

      Why would they need to "fix" it. It is operating as they prefer it, the same as all the software MS includes in Windows that most of us would prefer we did not have to install. Is it so difficult for you to uncheck that box if you're performing an update?

    3. Re:But did they fix the real bug? by torchdragon · · Score: 5, Insightful

      Yes.

      Recently, the Java update software has begun asking for the Open Office installer to be installed on the system during an update for Java. Several users at my company have clicked straight through and added more crap to their desktop/registry/uninstall information.

      Can we blame the users for not reading every detail and not unchecking a checkbox? Yes.
      Can we also blame software vendors who are relying on the aforementioned user behavior to add their software to your computer on the sly? Yes.

      Its a bad practice and it needs to stop.

      If something is required for the operation of a software package, default to selected.
      If something is optional or not required for the operation of a software package, default to unselected.

      Why are we allowing marketing to override good engineering?

      --
      "Don't feel bad for me child; I'm the monster that hides under your bed."
    4. Re:But did they fix the real bug? by lusiphur69 · · Score: 5, Insightful

      The real question is why are you defending Apple's unethical bundling - when the same is performed by Microsoft we criticize it. Call a spade a spade or you look foolish. Face it, this kind of practice is unacceptable, whether or not it comes from your favorite company.

      Is it so difficult for you to uncheck that box if you're performing an update? For me, no. For millions of uneducated end users, it is. Get it?
    5. Re:But did they fix the real bug? by Anonymous Coward · · Score: 4, Insightful

      No, it isn't like that. IE7 is an upgrade to something already installed and, to most end-users, in use. Safari is an entirely new piece of software. There's a difference, whether you like it or not.

  4. Hmm? by koinu · · Score: 5, Insightful


    Safari downloads files (e.g. dynamic libraries) in user directories where the Internet Explorer could autoload them on start. Isn't the bigger problem within Internet Explorer? Why did Microsoft setup a library path to a user's directory at all?

  5. Yes, the flaw is in IE. by argent · · Score: 4, Informative

    Microsoft's library path ALWAYS goes through the current directory. For some obscure reason that IE icon on the Desktop, the one that isn't a shortcut but is actually something special Microsoft added back in 1997 to make it harder to remove IE, runs IE on the Desktop instead of in the IE install directory, the way it would if it was a shortcut.

    It's all a side effect of Microsoft's shenanigans when they tried to use browser-desktop integration to make an end-run around their agreement with the US DoJ. That they've convinced people that the big news is a bug in Safari that makes it slightly easier to take advantage of this problem is, well, bizarre.

    And now you know the rest of the story.

    1. Re:Yes, the flaw is in IE. by Fast+Thick+Pants · · Score: 4, Interesting

      You can't get around this by avoiding the "special" IE icon, though. You can make a real shortcut, set the working directory to whatever you want, or even launch IE from its own program directory from a command prompt, and it will still consider the desktop to be the current directory.

      As a fun experiment,

      • copy cmd.exe to the desktop and rename it to notepad.exe
      • launch IE the "safest" way you can think up
      • view page source
      YRMV, but in my tests with IE 6 and 7 in 2k and XP, it will launch the command prompt instead of notepad, and you can see the current directory and the stuff it prepends to the PATH variable.

      Until this is fixed in IE, I recommend copying notepad.exe and all your system .DLLs from the system32 directory onto each user's desktop, and use an ACL on each one to make sure your users do not have permission to overwrite them. No, seriously. (Or you could just use another browser.)

  6. Re:Damn... by drumbug1 · · Score: 4, Funny

    All I know is if someone broke in my apartment and pissed all over my rug, I'd be pretty upset. unless you're the dude... he abides...