Safari "Carpet Bomb" Attack Still a Risk

SecureThroughObscure writes "Just a short time after Apple's recent acknowledgment of and patch for the Safari Carpet Bomb 'blended' IE flaw, Microsoft researcher Billy Rios shows that Safari is still useful in a blended attack, this time with Firefox 2/3. (ZDNet's Nate McFeters also spread the word.) Rios claimed that he is able to use Carpet Bomb, despite the recent patch, to steal arbitrary files from victims who also have Firefox 2/3 installed. Both Rios and McFeters pointed out that Apple, which took some heat for not originally patching, actually did a good job of addressing the issue, as the code execution angle was not originally understood (the details came out later). Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue."

News Flash: Windows is still a risk.

[twitter]

Windows is still a complete security failure. It is not possible to secure with any kind of reasonable precautions. Nor can it be secured through strenuous efforts. It is not free, so you can't fix what you think is broken.

Somehow, I know MS/IE is behind the FF flaw

MS/IE must have done something to cause this problem in firefox 2 and 3 (?!) so nothing to see here. Move along.

Re:Somehow, I know MS/IE is behind the FF flaw

[SecureThroughObscure]

Well, but this is the hard part of the argument. See, when Microsoft develops its own system, it does so in a certain way. When M$ designs IE, they make it fit that system. Since they have more knowledge, they can prevent things like this from happening in their own softwares. Of course, when third-parties develop for that system, they don't have that intimate knowledge, so they may assume that Windows protects them, when really they need to protect themselves. The "blended" threat really creates some "Who's fault is it anyways" questions.

Re:News Flash: Windows is still a risk.

[Odder]

You have to wonder if the people modding you down have a botnet of Windows computers and get to sneer twice about it. It is unlikely someone would use their own computers for this kind of thing.

I think you will be safe,

[Odder]

as long as you avoid Windows. Don't blame me, that's just the way things work.

Re:News Flash: Windows is still a risk.

I am twitter!

Re:FTP Carpet Bomb Demonstrated!

[Odder]

That's true. If you can remote execute code you can remote execute FTP and have it "Carpet Bomb" your desktop with stuff you can then execute. Most botnets perpetuate themselves in a more stealthy manner than that.

One Crazy Marketing Idea.

[Odder]

Because these attacks don't happen on Mac or GNU/Linux, we can be sure they are only useful because of Windows flaws. The marketing people at Microsoft must have lost their minds to push this story, it only proves their OS is still not ready for networking.

Re:FTP Carpet Bomb Demonstrated!

[freenix]

Well yeah, that's the point. It does not matter if Safari, IE, FTP or any other program is used to download an executable file to your desktop, that might be executed. What matters is that ANOTHER problem can be used to remote execute that file. That's what the Safari flap is all about, but all it does is show you that Windows has lots of holes.

MSFT has to fix this. Windows security issue.

[aristotle-dude]

I am sick of seeing MSFT trying to pass the buck on a Windows security issue.

When is MSFT going to implement cross-browser flagging of downloaded executables? When is MSFT going to patch IE to stop it from loading arbitrary DLLs from the desktop?