Slashdot Mirror
Safari "Carpet Bomb" Attack Still a Risk
SecureThroughObscure writes "Just a short time after Apple's recent acknowledgment of and patch for the Safari Carpet Bomb 'blended' IE flaw, Microsoft researcher Billy Rios shows that Safari is still useful in a blended attack, this time with Firefox 2/3. (ZDNet's Nate McFeters also spread the word.) Rios claimed that he is able to use Carpet Bomb, despite the recent patch, to steal arbitrary files from victims who also have Firefox 2/3 installed. Both Rios and McFeters pointed out that Apple, which took some heat for not originally patching, actually did a good job of addressing the issue, as the code execution angle was not originally understood (the details came out later). Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue."
Assuming for a second you are not, it's very telling that your reply is exactly 2 minutes after twitter's post. More importantly, what exactly is the point of your reply? "Good on you"? More likely you are simply replying to your own post to see if you can bring attention to it, which is a game you've been playing for a while now.
being blown out with malicious moderation
I don't see anything malicious about this, you are being moderated negatively because you deserve it. It makes no difference how much you claim you are being "unfairly" targeted by misrepresenting and exaggerating what other people say about you.
The twitter monologues. Click on my homepage and be amazed.
It implies that Safari still has major problems, while the summary clearly states that this issue (that was discovered in Safari), is now found to affect FireFox 2/3. Further, it implies a situation completely opposite of what is stated lower in the summary, that Apple did a good first pass at squashing the attack, and that it is now better understood.
I think a more accurate headline would have stated that FireFox was found to be not immune to a security problem found in IE and Safari. Unfortunately, this would imply that there is a problem with an OSS piece of software (which will quickly be fixed).
-- Len
To put it in terms of an exaggerated slashdot style analogy:
With how MS worded the first attack. (Which was only made usable by faults in MS software.) It would be equivalent to MS shipping a piece of software that changed all your passwords to "password" if you installed Firefox or Safari. Then releasing a statement that reads something like "Firefox and Safari put Windows at a security risk."
I'm sorry, I can't even understand what you're trying to say there.
If by "remote code execution", you mean running downloaded files, any OS will do that.
Actually, it's a botnet of Linux boxes. One or two Windows, I guess, and maybe a Mac, but for reliable mass moderation, free software's the way to go!
Though really, if you could remote execute code, why bother running FTP to download it? That's just redundant.
You're right, everyone is tired of this conversation. So why don't you JUST FUCKING STOP.
Seriously, it's old now. If you want to avoid being modded down for shilling yourself, why don't you stop fucking shilling yourself. Pick an account, any account. Maybe Odder, seeing as it seems to have the most karma right now. After that, stop lying and talking bollocks and you may find people start respecting you again. Until then, cut the shit and stop whining, just because people have figured out this pathetic little game of yours.
It would be nice to read through the comments on an article on Slashdot without having to read 5, 6, 7 posts of yours in a row talking to each other as if they were adding value to whatever point you're making.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
It wouldn't be the first time I got the wrong end of the stick, but Rios blog seems to suggest that he has discovered a way to use the original "Carpet Bomb" issue with Firefox to steal user data.
He states that Apple have fixed their part, but seems to be saying that he won't reveal the Firefox issue because...
Mozilla is working on the issue and they've got a responsive team, so I'm sure we'll see a fix soon.
So what are Apple supposed to be patching or responding to?
Anyone else read the article (that way)?
I know you're joking... but IRL, swarms of Windows zombies are often managed by a rooted Linux box.
Somehow, I knew I could come to Slashdot and find somebody who'd find a way to blame Microsoft for Apple's fuckup.
If you believe everything you read, you'd better not read. - Japanese proverb
I am twitter AND Spartacus. Beat that.
We know about your sockpuppets and your shilling and everything else. You can stop now.
I'm absolutely not Twitter, but he is amazing don't you think?
I'm Just Another Twitter Sockpuppet, and I approve this message.
Twitter, I have a reasonable request for you: please stop the sockpuppetry and, more importantly, please stop the trolling.
You seem to take every chance you get to hijack a thread and turn it into Microsoft or Windows bashing, even when it's not the issue at hand. This doesn't help anybody. It especially doesn't help your cause of advocating Linux, and I don't know why you think it does. As a Linux user and advocate (Debian, lenny, if you must know), I wish you would stop. There are far more useful and intelligent ways to spread Linux.
You also use your sockpuppets to try to lend legitimacy to your posts. This definitely doesn't help your cause at all. This pretty much only serves to disrupt slashdot and cause people to turn against you. Everything all of your sockpuppets say could just as easily be said by a single person. The more legitimate posts could definitely be said by a single person, and you might actually get modded up once in a while.
Your habit of accusing everyone who disagrees with you an idiot or a paid troll doesn't help either. The former makes you appear to be an arrogant asshole, as it implies that your opinion is correct, period, and no other opinion is at all legitimate. The latter makes you appear paranoid. This definitely doesn't help you.
So, I have one reasonable solution for you, and I highly suggest you take it: make one more new account. Stop using the twitter account and all of the sock puppets. Never mention twitter or the sock puppets with the new account. Pretty much, ignore your entire slashdot history. Stop hijacking threads into Microsoft bashing. Stop calling Microsoft "M$". I can't really instruct you to change your writing style, so it's entirely likely that people will catch on that it's you again.
As long as you follow my advice in whole, they most likely won't call you on it. Most people here are reasonable, and they'll be happy to live and let live. Hell, if you follow my advice in full and people insist on stalking you, I will personally do my best to stop them. If that includes ruining their karma, so be it (I get 15 mod points at a rate of about once per week, so it wouldn't be particularly hard), but I'd rather not go that route.
Please, just take this advice, and we can make Slashdot a better place for everybody.
Remember, open source is free as in speech, not free as in bear.
The "carpet bombing" attack as i've heard it described is not a software flaw at all.
so they build a site that initiates a large quantity of downloads to your computer.. so what.
it's nothing more than being an a-hole web designer.
the fact it ends up on your desktop is because the user didn't change the windows default settings, and anything that happens from that point on regarding "accidental execution" of one of these littered files is the user's fault.
Why do we need a software nanny state. It's really disgusting that because of stupid people I have to go through 3 separate nags in osX in order to perform mundane tasks.
I'm sorry but user stupidity is not a valid excuse to make every app behave like clippy! "are you sure you want to do this?" "really?" "are you absolutely sure?"
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
Well, but this is the hard part of the argument. See, when Microsoft develops its own system, it does so in a certain way. When M$ designs IE, they make it fit that system. Since they have more knowledge, they can prevent things like this from happening in their own softwares. Of course, when third-parties develop for that system, they don't have that intimate knowledge, so they may assume that Windows protects them, when really they need to protect themselves. The "blended" threat really creates some "Who's fault is it anyways" questions.
Well yeah, that's the point. It does not matter if Safari, IE, FTP or any other program is used to download an executable file to your desktop, that might be executed. What matters is that ANOTHER problem can be used to remote execute that file. That's what the Safari flap is all about, but all it does is show you that Windows has lots of holes.
He says that the attack he has found can be made without the carpet bomb...
Just as the attack on IE can.
Apple fixing the download-without-prompt attack won't do anything to fix the underlying problem, that just having a file sitting around in the default download directory on Windows can lead to code execution.
I suspect that the Firefox problem is similar.
No, therefore I aren't.
A horse can't be sick, you know, even if he wants to.
exactly, this is the fault of Microsoft using "secret" files do fire off IE in the background. Stuff like autoexec on CD roms might use this to start up the program when the directory becomes available. That's a STUPID action to take!!!! Microsoft's only response is RTFM (that we didn't write) and have every program that might download something check for that file name and not download it.
Safari didn't respect the file systems "secret" files and to top it off downloads them without asking first, that in itself is a mistake... but again, it's something that Apple's software will block running until a user approves... that Microsoft doesn't support! Oh the fun!
Wonder what the fun is with Firefox? By default Safari downloads to "desktop" so what special options would Firefox use if it was the default browser?
According to the blog post at http://xs-sniper.com/blog/2008/06/20/bk-on-safari-hunting-firefox/
"Mozilla is working on the issue and theyâ(TM)ve got a responsive team, so Iâ(TM)m sure weâ(TM)ll see a fix soon. "
This would imply that the remaining bug is a Firefox bug.
bah, if you want bad analogies...
The first attack was more like this...
Whenever you (the user) visit some guy's house (a website), I (Safari) will automatically dump scorpions all over your face (desktop). Luckily, they're quite docile little scorpions so as long as you don't touch them (run the downloaded files), you'll be fine.
But then along comes my roommate (Internet Explorer), grabs one of the scorpions and plants it stinger smack dab on your jugular.
Clearly, then, my roommate is to blame. So, never interact with my roommate and oh-by-the-way enjoy walking around with scorpions on your face.
Did I mention that some of those scorpions are excellent at camouflaging themselves? They can make themselves look like the darndest and most benign things... perhaps they'll masquerade themselves as your glasses (some random program you tend to use a lot). You put on your glasses (run the program) like you do every day and *ZING*.
But hey, you probably use an operating system (say, OS X) that I (Safari) runs on that doesn't just let you put your glasses on - perhaps it recognizes that they're not even your glasses, and warns you. Good for you! Say, how are all those scorpions down your pants (download directory) working out for you?
But the above are really just bad analogies. Suffice to say that there's really no good reason to allow a website to litter your desktop -or- your downloads directory with a bunch of files.. but if you -can- think of one: great! you'll be one of those who will check the "allow websites to automatically download files to my computer" checkbox... once (if ever) that makes in, that is.
=====
Disclaimer: I like Apple (yes, dear commenter from a previous thread.. re-read my post. I do like Apple.), but they can suggest I install it all they want whenever QuickTime goes and updates itself, I'm not touching it - I'm quite fine with FireFox (2.. 'll wait for the v3 dust to settle.)
...err, what is Microsoft doing to fix their end of the problem? I mean, this (IIRC) only works if the victim has Microsoft Windows as their OS.
I mean, this isn't specifically to slam MSFT, but the guy who discovered this works... for Microsoft. The attack vector stops cold if the user is on OSX and/or Linux, but does work in Windows.
So, umm... what's Microsoft doing about this (assuming they can), Mr. Rios?
Quo usque tandem abutere, Nimbus, patientia nostra?
..or the windows user who invites scorpions into their home if they are holding up a "free titties" banner.
right, who comes up with these names for bugs. It's like any new way a bug or know issue happens it has to have some really STUPID war type name. This is clearly a flaw in the browser cacheing area. It would be a cacheing issue or a Content type cache bug.
The Days of IRC Nukes, Script kiddie FLOODS and all the rest of the wannabe lingo needs to halt so the more technical identifications can be warrented. //excuse the grammar/spelling, I'm almost asleep.
Dude,do you have ANY idea how totally Psycho you come off when you reply to yourself all the time like that? It makes me think of those homeless guys you see walking down the street arguing with themselves. Of course all your inner voices are all "good on you" so I don't know whether to be happy that at least your delusions are confrontational or sad for the fact that your head is full of yes men. But as always my 02c,YIVMV(your inner voices may vary)
ACs don't waste your time replying, your posts are never seen by me.
> Last I read, it's owner
Classic twitter.
When is MSFT going to implement cross-browser flagging of downloaded executables? When is MSFT going to patch IE to stop it from loading arbitrary DLLs from the desktop?
Jesus was a compassionate social conservative who called individuals to sin no more.
Well, you're getting off track here. You can comment on how M$ should make their APIs more clear... but your comments are pretty off base.
Damn, that's the most genius comment on Slashdot all year.
Except that NOTHING is clear:
http://xs-sniper.com/blog/
He is saying that the "Carpet Bomb" issue IS fixed, but that he is aware of three other methods to exploit interaction between Safari and Firefox.
He is giving out no details, no work-arounds and no advice on how to protect yourself. It's all a little bit vague.
I'm starting to suspect Shenanigans.
Who modded this guy insightful?
Who is this guy to think that the market should be catering to him instead of the millions of other people who aren't as wise with computers?
I think you are confusing stupidity with ignorance which is a big mistake. Just because someone isn't wise to all of the risks and no-nos in computers doesn't mean they are stupid. How much do you know about quantum physics or hispano-arabic literature? Because you lack knowledge in a field doesn't make you stupid.
The future of computers isn't every user learning so much more about computers but computers being more and more idiotproof. And these ignorant computer users are the majority of the market so guess where things are heading.
http://greenobyl.com/ please.... think of the children!!
No web browser should be able to download files to your computer without your approval.
NONE.
There is no excuse for this retarded behavior of Safari. No web browser except Safari ever allowed this.
I am the real twitter, and I've come to rule your world.
I have a better solution.
How about people stop replying going "This is a Twitter sockpuppet!" because
a) Nobody fucking cares
b) if all of these names are supposedly sockpuppets, replying and pointing it out FEEDS THE TROLL.
Of course, expecting this to happen is futile, so all I've done is write a special greasemonkey script. Anyone that replies and points out supposed Twitter sockpuppets have their posts disappear from my view permanently, because not even adding foes is enough to block the idiocy.
"We need to get over this notion, that, for Apple to win... Microsoft must lose." - Steve Jobs, 1997
Ah, but the twitter bashing for a certain species of slashdotter is a great way to karma-whore AND feed their moronic paranoid fantasies about the ideological bent of /., and what they have to do as a Keyboard Commando to combat it. I can only imagine the sense of delirious satisfaction they get by modding down every twitter post, and spying a potential twitter sockpuppet behind every ID that disagrees with them and their ilk. It's amazing to me that these clowns, having never have achieved a single worthwhile thing in any aspect of their sad, pathetic lives, choose to devote their energy trying to thwart a single slashdot poster.
This should be easy to patch: STOP USING WINDOWS!!
This whole thing was created by Microsoft. It does not exist on any other platform. They have created this issue because they can't stand another browser or any other perceived loss of control on their little platform.
The people from M$ don't like what Twitter has to say and they have censored him. He refuses to let that happen. It was not good enough for them to answer him in an open way and have done things to disrupt your ability to both hear him or foe him. They deserve ridicule and contempt. You may foe any account that displeases you but you will never know if it's him or someone else. His views are popular here and in the real world because M$'s business practices and poor quality software have soured everyone who uses Windows. This is not something PR firms can make dissapear.
No, I'm not Twitter, like you PR Idiots think everyone is. I'm simply sick of your bullshit and nerve. People are not going to do as you say, get used to it.
Intellectual property was the desert property of the twenth century.
Anti-Slash? That's fucking priceless. Neither you nor Slashdot are important enough for me to spend money on.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
I've gotten tired of the entire twitter thing, too. You'll note that I'm not just calling out sockpuppets like everyone else. I'm proposing the easiest and most reasonable way to end this thing. It's far easier to convince a single person to stop than to convince the however many that are following twitter, plain and simple.
Remember, open source is free as in speech, not free as in bear.
but that's exactly what's going on. The OS fires off IE whenever certain special file names are present... ever... Microsoft's products know this and "just don't do that". Safari developers can't seriously be expected to remember every single special file ... but they allow unconfirmed downloads to a very common special directory.
The response from Microsoft was simply to "not download" those type of files... that was the official response!!! Apple responded with "don't run junk by default", our developers won't fix it, because OUR OS warns users of new programs so our Safari developers don't have to worry about blacklisting certain files from download.
It's right out of Dilbert with each PHB pointing to the corporate marketing directives and saying it's not "my" fault.
So the question stands that some how Safari's automatic download (maybe before the fix) can download something "special" effecting firefox that their developers are assuming would "never happen".
I'm finding this new messaging system well-nigh impossible to use.
lol downmodded ! "if we dont agree - we downmod!!" hurray.
and if someone points that out, they pull out the "uhh he was obviously trolling" response.
i hope the FOSSies are getting paid or having some great sex to do these kind of dirty tricks.
For example you could use OSX as your desktop operating system.
When I click on a hyperlink, I want what its linked to to come down..
what do you want me to do, plead with curse to give me my addons?!
The problem is not apple's problem, hell it's not even microsoft's.
the problem is these people are misrepresenting a hyperlink as a web page when it's really a direct download link.
This does not mean I should be nagged because people are too dumb to say "I didn't request this file so i wont open it"
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
Everyone who wasn't an idiot learned not to do this when they were a toddler and reached out to touch the stove coils because they were pretty and glowing.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
No web browser should be able to download files to your computer without your approval.
NONE.
There is no excuse for this retarded behavior of Safari. No web browser except Safari ever allowed this.
Except Internet Explorer, but it's not so kind as to leave evidence of its downloading on your desktop.The AC I was answering was stating that not using Windows will mean "all productivity will shut down" and quote:
"Year of the Linux Desktop" my ass. And I was answering to that.Besides, I use Opera on Windows, Linux and Mac OSX.
There is no clicking involved here - it is a web page that can just spontaneously execute Javascript to initiate a file download, which just spontaneously appears on your desktop, with no user interaction AT ALL.
It is an obvious opera flaw.
Safari has a lot of things wrong with it. Firefox is a much better system. -Alan B Fabian