Safari "Carpet Bomb" Attack Still a Risk

Posted by kdawson on Saturday June 21, 2008 @09:51AM from the will-it-blend dept.

SecureThroughObscure writes "Just a short time after Apple's recent acknowledgment of and patch for the Safari Carpet Bomb 'blended' IE flaw, Microsoft researcher Billy Rios shows that Safari is still useful in a blended attack, this time with Firefox 2/3. (ZDNet's Nate McFeters also spread the word.) Rios claimed that he is able to use Carpet Bomb, despite the recent patch, to steal arbitrary files from victims who also have Firefox 2/3 installed. Both Rios and McFeters pointed out that Apple, which took some heat for not originally patching, actually did a good job of addressing the issue, as the code execution angle was not originally understood (the details came out later). Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue."

3 of 117 comments (clear)

Min score:

Reason:

Sort:

Re:Somehow, I know MS/IE is behind the FF flaw by KillerBob · 2008-06-21 11:57 · Score: 0, Flamebait

MS/IE must have done something to cause this problem in firefox 2 and 3 (?!) so nothing to see here. Move along.
Somehow, I knew I could come to Slashdot and find somebody who'd find a way to blame Microsoft for Apple's fuckup.

--
If you believe everything you read, you'd better not read. - Japanese proverb
Re:One missing piece of the puzzle? by SecureThroughObscure · 2008-06-21 19:04 · Score: 0, Flamebait

Yeah, so the problem is, M$ is fine until Safari and FF come on and don't sanitize shit. They rely to much on the OS to do shit for them, and then it makes M$ look bad. This IS an Apple flaw. The exploit path involves the use of either IE or FF. The reason it's not vulnerable on Apple is cause Apple devs don't write quite as shitty code for the Mac as they do for Windows.
I have a working patch! by hacker · 2008-06-22 02:39 · Score: 1, Flamebait

This should be easy to patch: STOP USING WINDOWS!!