Slashdot Mirror

← Back to Stories (view on slashdot.org)

Safari "Carpet Bomb" Attack Still a Risk

Posted by kdawson on from the will-it-blend dept.

SecureThroughObscure writes "Just a short time after Apple's recent acknowledgment of and patch for the Safari Carpet Bomb 'blended' IE flaw, Microsoft researcher Billy Rios shows that Safari is still useful in a blended attack, this time with Firefox 2/3. (ZDNet's Nate McFeters also spread the word.) Rios claimed that he is able to use Carpet Bomb, despite the recent patch, to steal arbitrary files from victims who also have Firefox 2/3 installed. Both Rios and McFeters pointed out that Apple, which took some heat for not originally patching, actually did a good job of addressing the issue, as the code execution angle was not originally understood (the details came out later). Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue."

4 of 117 comments (clear)

  1. I'm not the only person here who's sick of this. by Odder · · Score: -1, Flamebait

    I've seen several people telling you idiots to can it already. Why is it that you insist on chasing and inadvertently glorifying Twitter? Every normal person is tired of this conversation and it's counterproductive even by your own twisted worldview. As one a target of your vindictive little Jihad, I've got more than my fair share of annoyance.

    What are you trying to suppress anyway? Twitter said that Windows security sucks and this whole issue is some kind of Steve Ballmer fantasy. So what? it's obvious. Go ahead and use your little botnet to bury this comment too. It only serves to prove the point. Without a network full of Windows computers to exploit, you people would have nothing.

  2. Re:Somehow, I know MS/IE is behind the FF flaw by KillerBob · · Score: 0, Flamebait

    MS/IE must have done something to cause this problem in firefox 2 and 3 (?!) so nothing to see here. Move along.

    Somehow, I knew I could come to Slashdot and find somebody who'd find a way to blame Microsoft for Apple's fuckup.

    --
    If you believe everything you read, you'd better not read. - Japanese proverb
  3. Re:One missing piece of the puzzle? by SecureThroughObscure · · Score: 0, Flamebait

    Yeah, so the problem is, M$ is fine until Safari and FF come on and don't sanitize shit. They rely to much on the OS to do shit for them, and then it makes M$ look bad. This IS an Apple flaw. The exploit path involves the use of either IE or FF. The reason it's not vulnerable on Apple is cause Apple devs don't write quite as shitty code for the Mac as they do for Windows.

  4. I have a working patch! by hacker · · Score: 1, Flamebait

    This should be easy to patch: STOP USING WINDOWS!!