Slashdot Mirror

← Back to Stories (view on slashdot.org)

Safari "Carpet Bomb" Attack Still a Risk

Posted by kdawson on from the will-it-blend dept.

SecureThroughObscure writes "Just a short time after Apple's recent acknowledgment of and patch for the Safari Carpet Bomb 'blended' IE flaw, Microsoft researcher Billy Rios shows that Safari is still useful in a blended attack, this time with Firefox 2/3. (ZDNet's Nate McFeters also spread the word.) Rios claimed that he is able to use Carpet Bomb, despite the recent patch, to steal arbitrary files from victims who also have Firefox 2/3 installed. Both Rios and McFeters pointed out that Apple, which took some heat for not originally patching, actually did a good job of addressing the issue, as the code execution angle was not originally understood (the details came out later). Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue."

10 of 117 comments (clear)

  1. Is the headline a bit sensational? by LenE · · Score: 3, Insightful

    It implies that Safari still has major problems, while the summary clearly states that this issue (that was discovered in Safari), is now found to affect FireFox 2/3. Further, it implies a situation completely opposite of what is stated lower in the summary, that Apple did a good first pass at squashing the attack, and that it is now better understood.

    I think a more accurate headline would have stated that FireFox was found to be not immune to a security problem found in IE and Safari. Unfortunately, this would imply that there is a problem with an OSS piece of software (which will quickly be fixed).

    -- Len

    1. Re:Is the headline a bit sensational? by SecureThroughObscure · · Score: 2, Insightful

      So, there's a couple of issues here. The first is that you can place files on the user's desktop. This IS (or at least was) Safari's problem. All it takes is crafting a file that has an icon that looks like IE or your recycle bin, or whatever else and someone double-clicks to getting owned. The second issue becomes the blended attack. So using Safari to place the file, then something else to kick the file off. This is where IE originally came in, but Microsoft patched that, then now we have FF 2/3. I would not be surprised to see Opera have similar blended issues. So, the whole point is that our systems are becoming more complex with all of the options out there that are available to us. These interactions can lead to unexpected security issues.

    2. Re:Is the headline a bit sensational? by Zero__Kelvin · · Score: 1, Insightful

      "I think a more accurate headline would have stated that FireFox was found to be not immune to a security problem found in IE and Safari."
      Alas, nothing could be further from the truth. Ask yourself these questions:
      1. Is Safari on OS X vulnerable?
      2. Is Firefox on Linux vulnerable?
      3. Is IE running under WINE on Linux vulnerable?
      4. What is the common denominator for all of these vulnerabilities?

        Obviously, the security flaw is in Windows.
      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    3. Re:Is the headline a bit sensational? by Anonymous Coward · · Score: 1, Insightful

      If you want unrelated (possibly malware crap) files scattered all over your desktop because you surf the web you are free not to patch.

      I can't really see why you think thats such a good idea though.

  2. Re:Somehow, I know MS/IE is behind the FF flaw by catwh0re · · Score: 2, Insightful

    To put it in terms of an exaggerated slashdot style analogy:
    With how MS worded the first attack. (Which was only made usable by faults in MS software.) It would be equivalent to MS shipping a piece of software that changed all your passwords to "password" if you installed Firefox or Safari. Then releasing a statement that reads something like "Firefox and Safari put Windows at a security risk."

  3. Re:posting exploits of vulnerabilities by bunratty · · Score: 5, Insightful

    It's called responsible disclosure. You'd be surprised at the number of people around here that advocate full disclosure, that is, telling the whole world all the details of a security problem as soon as you find it. The ones who advocate it keep saying it somehow allows users to protect themselves. On the other hand, it seems like everyone who practices full disclosure has a l33t hacker name and is looking for attention, and not at all concerned with anyone's security.

    --
    What a fool believes, he sees, no wise man has the power to reason away.
  4. The WoW Troll is relevant, problem btwn kb & c by plasmacutter · · Score: 2, Insightful

    The "carpet bombing" attack as i've heard it described is not a software flaw at all.

    so they build a site that initiates a large quantity of downloads to your computer.. so what.

    it's nothing more than being an a-hole web designer.

    the fact it ends up on your desktop is because the user didn't change the windows default settings, and anything that happens from that point on regarding "accidental execution" of one of these littered files is the user's fault.

    Why do we need a software nanny state. It's really disgusting that because of stupid people I have to go through 3 separate nags in osX in order to perform mundane tasks.

    I'm sorry but user stupidity is not a valid excuse to make every app behave like clippy! "are you sure you want to do this?" "really?" "are you absolutely sure?"

    --
    VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
  5. I don't think you are missing anything. by argent · · Score: 2, Insightful

    He says that the attack he has found can be made without the carpet bomb...

    Just as the attack on IE can.

    Apple fixing the download-without-prompt attack won't do anything to fix the underlying problem, that just having a file sitting around in the default download directory on Windows can lead to code execution.

    I suspect that the Firefox problem is similar.

  6. Re:Somehow, I know MS/IE is behind the FF flaw by mabhatter654 · · Score: 3, Insightful

    exactly, this is the fault of Microsoft using "secret" files do fire off IE in the background. Stuff like autoexec on CD roms might use this to start up the program when the directory becomes available. That's a STUPID action to take!!!! Microsoft's only response is RTFM (that we didn't write) and have every program that might download something check for that file name and not download it.

    Safari didn't respect the file systems "secret" files and to top it off downloads them without asking first, that in itself is a mistake... but again, it's something that Apple's software will block running until a user approves... that Microsoft doesn't support! Oh the fun!

    Wonder what the fun is with Firefox? By default Safari downloads to "desktop" so what special options would Firefox use if it was the default browser?

  7. One missing piece of the puzzle? by Penguinisto · · Score: 3, Insightful

    ...err, what is Microsoft doing to fix their end of the problem? I mean, this (IIRC) only works if the victim has Microsoft Windows as their OS.


    I mean, this isn't specifically to slam MSFT, but the guy who discovered this works... for Microsoft. The attack vector stops cold if the user is on OSX and/or Linux, but does work in Windows.


    So, umm... what's Microsoft doing about this (assuming they can), Mr. Rios?

    /P

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?