Slashdot Mirror

← Back to Stories (view on slashdot.org)

Safari "Carpet Bomb" Attack Still a Risk

Posted by kdawson on from the will-it-blend dept.

SecureThroughObscure writes "Just a short time after Apple's recent acknowledgment of and patch for the Safari Carpet Bomb 'blended' IE flaw, Microsoft researcher Billy Rios shows that Safari is still useful in a blended attack, this time with Firefox 2/3. (ZDNet's Nate McFeters also spread the word.) Rios claimed that he is able to use Carpet Bomb, despite the recent patch, to steal arbitrary files from victims who also have Firefox 2/3 installed. Both Rios and McFeters pointed out that Apple, which took some heat for not originally patching, actually did a good job of addressing the issue, as the code execution angle was not originally understood (the details came out later). Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue."

2 of 117 comments (clear)

  1. Re:posting exploits of vulnerabilities by Vectronic · · Score: 5, Interesting

    Well, there is two sides to that coin...

    A "1337" user, may want full disclosure, so that he can patch his software immediately, and maybe other people who run the same software (White Hat)

    Another 1337 user, may patch his own software, and then begin to propagate a script to take advantage of unpatched software (Black Hat) which, could be for a sort of Grey Hat intention, "see? fix it!" or simply for malicious intent.

    The problem with Full Disclosure, is that you can't inform everyone, or update everything instantly, so it only helps those in the know (which isn't many), so partial/non-disclosure is generally better (in consumer products), but Full Disclosure would be appropriate for a closed network, non-consumer software.

    Somewhat redundant, but had to comment.

  2. Maybe I'm missing something? by IrrepressibleMonkey · · Score: 3, Interesting

    Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue.

    It wouldn't be the first time I got the wrong end of the stick, but Rios blog seems to suggest that he has discovered a way to use the original "Carpet Bomb" issue with Firefox to steal user data.

    He states that Apple have fixed their part, but seems to be saying that he won't reveal the Firefox issue because...

    Mozilla is working on the issue and they've got a responsive team, so I'm sure we'll see a fix soon.
    So what are Apple supposed to be patching or responding to?

    Anyone else read the article (that way)?