Safari "Carpet Bomb" Attack Still a Risk

SecureThroughObscure writes "Just a short time after Apple's recent acknowledgment of and patch for the Safari Carpet Bomb 'blended' IE flaw, Microsoft researcher Billy Rios shows that Safari is still useful in a blended attack, this time with Firefox 2/3. (ZDNet's Nate McFeters also spread the word.) Rios claimed that he is able to use Carpet Bomb, despite the recent patch, to steal arbitrary files from victims who also have Firefox 2/3 installed. Both Rios and McFeters pointed out that Apple, which took some heat for not originally patching, actually did a good job of addressing the issue, as the code execution angle was not originally understood (the details came out later). Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue."

posting exploits of vulnerabilities

[commodoresloat]

Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue. Seems sensible; I always thought this was standard practice with vulnerabilities. It helps ensure that at least the company who introduced the vulnerability has an opportunity to release a patch before the attack vectors are in the hands of every script kiddie around. It's definitely an approach the poster of this story should have considered.

Re:posting exploits of vulnerabilities

[Vectronic]

Well, there is two sides to that coin...

A "1337" user, may want full disclosure, so that he can patch his software immediately, and maybe other people who run the same software (White Hat)

Another 1337 user, may patch his own software, and then begin to propagate a script to take advantage of unpatched software (Black Hat) which, could be for a sort of Grey Hat intention, "see? fix it!" or simply for malicious intent.

The problem with Full Disclosure, is that you can't inform everyone, or update everything instantly, so it only helps those in the know (which isn't many), so partial/non-disclosure is generally better (in consumer products), but Full Disclosure would be appropriate for a closed network, non-consumer software.

Somewhat redundant, but had to comment.

Re:posting exploits of vulnerabilities

[SecureThroughObscure]

It's not just that though. You make great points that an advanced user can likely find a work around for some issues and SHOULD have the right to fix an issue if possible (thus requiring full disclosure). The other thing to consider here, a lot of vendors are in the freaking prehistoric period when it comes to addressing issues. Originally, Apple decided NOT to fix this issue, because you could only put executable content on a user's desktop. I mean, by itself, that's still a big issue. When vendors take these approaches, it becomes easier for researchers to just drop an 0-day.

Maybe I'm missing something?

[IrrepressibleMonkey]

Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue.

It wouldn't be the first time I got the wrong end of the stick, but Rios blog seems to suggest that he has discovered a way to use the original "Carpet Bomb" issue with Firefox to steal user data.

He states that Apple have fixed their part, but seems to be saying that he won't reveal the Firefox issue because...

Mozilla is working on the issue and they've got a responsive team, so I'm sure we'll see a fix soon.
So what are Apple supposed to be patching or responding to?

Anyone else read the article (that way)?

Re:Somehow, I know MS/IE is behind the FF flaw

[Animaether]

bah, if you want bad analogies...

The first attack was more like this...

Whenever you (the user) visit some guy's house (a website), I (Safari) will automatically dump scorpions all over your face (desktop). Luckily, they're quite docile little scorpions so as long as you don't touch them (run the downloaded files), you'll be fine.
But then along comes my roommate (Internet Explorer), grabs one of the scorpions and plants it stinger smack dab on your jugular.

Clearly, then, my roommate is to blame. So, never interact with my roommate and oh-by-the-way enjoy walking around with scorpions on your face.

Did I mention that some of those scorpions are excellent at camouflaging themselves? They can make themselves look like the darndest and most benign things... perhaps they'll masquerade themselves as your glasses (some random program you tend to use a lot). You put on your glasses (run the program) like you do every day and *ZING*.

But hey, you probably use an operating system (say, OS X) that I (Safari) runs on that doesn't just let you put your glasses on - perhaps it recognizes that they're not even your glasses, and warns you. Good for you! Say, how are all those scorpions down your pants (download directory) working out for you?

But the above are really just bad analogies. Suffice to say that there's really no good reason to allow a website to litter your desktop -or- your downloads directory with a bunch of files.. but if you -can- think of one: great! you'll be one of those who will check the "allow websites to automatically download files to my computer" checkbox... once (if ever) that makes in, that is.

=====

Disclaimer: I like Apple (yes, dear commenter from a previous thread.. re-read my post. I do like Apple.), but they can suggest I install it all they want whenever QuickTime goes and updates itself, I'm not touching it - I'm quite fine with FireFox (2.. 'll wait for the v3 dust to settle.)

Re:Is the headline a bit sensational?

[jackjeff]

I still fail to understand why downloading files to the desktop is a major security problem...

That's quite funny that Microsoft urged Apple to fix this, whereas the actual failure was in IE7.

It's not the job of Apple or Firefox (we don't know about this bug anyway) to fix everyone else (Microsoft) security problems.