Safari "Carpet Bomb" Attack Still a Risk

SecureThroughObscure writes "Just a short time after Apple's recent acknowledgment of and patch for the Safari Carpet Bomb 'blended' IE flaw, Microsoft researcher Billy Rios shows that Safari is still useful in a blended attack, this time with Firefox 2/3. (ZDNet's Nate McFeters also spread the word.) Rios claimed that he is able to use Carpet Bomb, despite the recent patch, to steal arbitrary files from victims who also have Firefox 2/3 installed. Both Rios and McFeters pointed out that Apple, which took some heat for not originally patching, actually did a good job of addressing the issue, as the code execution angle was not originally understood (the details came out later). Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue."

Is the headline a bit sensational?

[LenE]

It implies that Safari still has major problems, while the summary clearly states that this issue (that was discovered in Safari), is now found to affect FireFox 2/3. Further, it implies a situation completely opposite of what is stated lower in the summary, that Apple did a good first pass at squashing the attack, and that it is now better understood.

I think a more accurate headline would have stated that FireFox was found to be not immune to a security problem found in IE and Safari. Unfortunately, this would imply that there is a problem with an OSS piece of software (which will quickly be fixed).

-- Len

Re:posting exploits of vulnerabilities

[bunratty]

It's called responsible disclosure. You'd be surprised at the number of people around here that advocate full disclosure, that is, telling the whole world all the details of a security problem as soon as you find it. The ones who advocate it keep saying it somehow allows users to protect themselves. On the other hand, it seems like everyone who practices full disclosure has a l33t hacker name and is looking for attention, and not at all concerned with anyone's security.

Re:Somehow, I know MS/IE is behind the FF flaw

[mabhatter654]

exactly, this is the fault of Microsoft using "secret" files do fire off IE in the background. Stuff like autoexec on CD roms might use this to start up the program when the directory becomes available. That's a STUPID action to take!!!! Microsoft's only response is RTFM (that we didn't write) and have every program that might download something check for that file name and not download it.

Safari didn't respect the file systems "secret" files and to top it off downloads them without asking first, that in itself is a mistake... but again, it's something that Apple's software will block running until a user approves... that Microsoft doesn't support! Oh the fun!

Wonder what the fun is with Firefox? By default Safari downloads to "desktop" so what special options would Firefox use if it was the default browser?

One missing piece of the puzzle?

[Penguinisto]

...err, what is Microsoft doing to fix their end of the problem? I mean, this (IIRC) only works if the victim has Microsoft Windows as their OS.

I mean, this isn't specifically to slam MSFT, but the guy who discovered this works... for Microsoft. The attack vector stops cold if the user is on OSX and/or Linux, but does work in Windows.

So, umm... what's Microsoft doing about this (assuming they can), Mr. Rios?

/P