Slashdot Mirror
Safari "Carpet Bomb" Attack Still a Risk
SecureThroughObscure writes "Just a short time after Apple's recent acknowledgment of and patch for the Safari Carpet Bomb 'blended' IE flaw, Microsoft researcher Billy Rios shows that Safari is still useful in a blended attack, this time with Firefox 2/3. (ZDNet's Nate McFeters also spread the word.) Rios claimed that he is able to use Carpet Bomb, despite the recent patch, to steal arbitrary files from victims who also have Firefox 2/3 installed. Both Rios and McFeters pointed out that Apple, which took some heat for not originally patching, actually did a good job of addressing the issue, as the code execution angle was not originally understood (the details came out later). Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue."
Well, but this is the hard part of the argument. See, when Microsoft develops its own system, it does so in a certain way. When M$ designs IE, they make it fit that system. Since they have more knowledge, they can prevent things like this from happening in their own softwares. Of course, when third-parties develop for that system, they don't have that intimate knowledge, so they may assume that Windows protects them, when really they need to protect themselves. The "blended" threat really creates some "Who's fault is it anyways" questions.
Well yeah, that's the point. It does not matter if Safari, IE, FTP or any other program is used to download an executable file to your desktop, that might be executed. What matters is that ANOTHER problem can be used to remote execute that file. That's what the Safari flap is all about, but all it does is show you that Windows has lots of holes.
When is MSFT going to implement cross-browser flagging of downloaded executables? When is MSFT going to patch IE to stop it from loading arbitrary DLLs from the desktop?
Jesus was a compassionate social conservative who called individuals to sin no more.