Slashdot Mirror
Safari "Carpet Bomb" Attack Still a Risk
SecureThroughObscure writes "Just a short time after Apple's recent acknowledgment of and patch for the Safari Carpet Bomb 'blended' IE flaw, Microsoft researcher Billy Rios shows that Safari is still useful in a blended attack, this time with Firefox 2/3. (ZDNet's Nate McFeters also spread the word.) Rios claimed that he is able to use Carpet Bomb, despite the recent patch, to steal arbitrary files from victims who also have Firefox 2/3 installed. Both Rios and McFeters pointed out that Apple, which took some heat for not originally patching, actually did a good job of addressing the issue, as the code execution angle was not originally understood (the details came out later). Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue."
Assuming for a second you are not, it's very telling that your reply is exactly 2 minutes after twitter's post. More importantly, what exactly is the point of your reply? "Good on you"? More likely you are simply replying to your own post to see if you can bring attention to it, which is a game you've been playing for a while now.
being blown out with malicious moderation
I don't see anything malicious about this, you are being moderated negatively because you deserve it. It makes no difference how much you claim you are being "unfairly" targeted by misrepresenting and exaggerating what other people say about you.
The twitter monologues. Click on my homepage and be amazed.
It implies that Safari still has major problems, while the summary clearly states that this issue (that was discovered in Safari), is now found to affect FireFox 2/3. Further, it implies a situation completely opposite of what is stated lower in the summary, that Apple did a good first pass at squashing the attack, and that it is now better understood.
I think a more accurate headline would have stated that FireFox was found to be not immune to a security problem found in IE and Safari. Unfortunately, this would imply that there is a problem with an OSS piece of software (which will quickly be fixed).
-- Len
To put it in terms of an exaggerated slashdot style analogy:
With how MS worded the first attack. (Which was only made usable by faults in MS software.) It would be equivalent to MS shipping a piece of software that changed all your passwords to "password" if you installed Firefox or Safari. Then releasing a statement that reads something like "Firefox and Safari put Windows at a security risk."
I'm sorry, I can't even understand what you're trying to say there.
If by "remote code execution", you mean running downloaded files, any OS will do that.
Though really, if you could remote execute code, why bother running FTP to download it? That's just redundant.
It wouldn't be the first time I got the wrong end of the stick, but Rios blog seems to suggest that he has discovered a way to use the original "Carpet Bomb" issue with Firefox to steal user data.
He states that Apple have fixed their part, but seems to be saying that he won't reveal the Firefox issue because...
Mozilla is working on the issue and they've got a responsive team, so I'm sure we'll see a fix soon.
So what are Apple supposed to be patching or responding to?
Anyone else read the article (that way)?
Twitter, I have a reasonable request for you: please stop the sockpuppetry and, more importantly, please stop the trolling.
You seem to take every chance you get to hijack a thread and turn it into Microsoft or Windows bashing, even when it's not the issue at hand. This doesn't help anybody. It especially doesn't help your cause of advocating Linux, and I don't know why you think it does. As a Linux user and advocate (Debian, lenny, if you must know), I wish you would stop. There are far more useful and intelligent ways to spread Linux.
You also use your sockpuppets to try to lend legitimacy to your posts. This definitely doesn't help your cause at all. This pretty much only serves to disrupt slashdot and cause people to turn against you. Everything all of your sockpuppets say could just as easily be said by a single person. The more legitimate posts could definitely be said by a single person, and you might actually get modded up once in a while.
Your habit of accusing everyone who disagrees with you an idiot or a paid troll doesn't help either. The former makes you appear to be an arrogant asshole, as it implies that your opinion is correct, period, and no other opinion is at all legitimate. The latter makes you appear paranoid. This definitely doesn't help you.
So, I have one reasonable solution for you, and I highly suggest you take it: make one more new account. Stop using the twitter account and all of the sock puppets. Never mention twitter or the sock puppets with the new account. Pretty much, ignore your entire slashdot history. Stop hijacking threads into Microsoft bashing. Stop calling Microsoft "M$". I can't really instruct you to change your writing style, so it's entirely likely that people will catch on that it's you again.
As long as you follow my advice in whole, they most likely won't call you on it. Most people here are reasonable, and they'll be happy to live and let live. Hell, if you follow my advice in full and people insist on stalking you, I will personally do my best to stop them. If that includes ruining their karma, so be it (I get 15 mod points at a rate of about once per week, so it wouldn't be particularly hard), but I'd rather not go that route.
Please, just take this advice, and we can make Slashdot a better place for everybody.
Remember, open source is free as in speech, not free as in bear.
The "carpet bombing" attack as i've heard it described is not a software flaw at all.
so they build a site that initiates a large quantity of downloads to your computer.. so what.
it's nothing more than being an a-hole web designer.
the fact it ends up on your desktop is because the user didn't change the windows default settings, and anything that happens from that point on regarding "accidental execution" of one of these littered files is the user's fault.
Why do we need a software nanny state. It's really disgusting that because of stupid people I have to go through 3 separate nags in osX in order to perform mundane tasks.
I'm sorry but user stupidity is not a valid excuse to make every app behave like clippy! "are you sure you want to do this?" "really?" "are you absolutely sure?"
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
He says that the attack he has found can be made without the carpet bomb...
Just as the attack on IE can.
Apple fixing the download-without-prompt attack won't do anything to fix the underlying problem, that just having a file sitting around in the default download directory on Windows can lead to code execution.
I suspect that the Firefox problem is similar.
exactly, this is the fault of Microsoft using "secret" files do fire off IE in the background. Stuff like autoexec on CD roms might use this to start up the program when the directory becomes available. That's a STUPID action to take!!!! Microsoft's only response is RTFM (that we didn't write) and have every program that might download something check for that file name and not download it.
Safari didn't respect the file systems "secret" files and to top it off downloads them without asking first, that in itself is a mistake... but again, it's something that Apple's software will block running until a user approves... that Microsoft doesn't support! Oh the fun!
Wonder what the fun is with Firefox? By default Safari downloads to "desktop" so what special options would Firefox use if it was the default browser?
bah, if you want bad analogies...
The first attack was more like this...
Whenever you (the user) visit some guy's house (a website), I (Safari) will automatically dump scorpions all over your face (desktop). Luckily, they're quite docile little scorpions so as long as you don't touch them (run the downloaded files), you'll be fine.
But then along comes my roommate (Internet Explorer), grabs one of the scorpions and plants it stinger smack dab on your jugular.
Clearly, then, my roommate is to blame. So, never interact with my roommate and oh-by-the-way enjoy walking around with scorpions on your face.
Did I mention that some of those scorpions are excellent at camouflaging themselves? They can make themselves look like the darndest and most benign things... perhaps they'll masquerade themselves as your glasses (some random program you tend to use a lot). You put on your glasses (run the program) like you do every day and *ZING*.
But hey, you probably use an operating system (say, OS X) that I (Safari) runs on that doesn't just let you put your glasses on - perhaps it recognizes that they're not even your glasses, and warns you. Good for you! Say, how are all those scorpions down your pants (download directory) working out for you?
But the above are really just bad analogies. Suffice to say that there's really no good reason to allow a website to litter your desktop -or- your downloads directory with a bunch of files.. but if you -can- think of one: great! you'll be one of those who will check the "allow websites to automatically download files to my computer" checkbox... once (if ever) that makes in, that is.
=====
Disclaimer: I like Apple (yes, dear commenter from a previous thread.. re-read my post. I do like Apple.), but they can suggest I install it all they want whenever QuickTime goes and updates itself, I'm not touching it - I'm quite fine with FireFox (2.. 'll wait for the v3 dust to settle.)
...err, what is Microsoft doing to fix their end of the problem? I mean, this (IIRC) only works if the victim has Microsoft Windows as their OS.
I mean, this isn't specifically to slam MSFT, but the guy who discovered this works... for Microsoft. The attack vector stops cold if the user is on OSX and/or Linux, but does work in Windows.
So, umm... what's Microsoft doing about this (assuming they can), Mr. Rios?
Quo usque tandem abutere, Nimbus, patientia nostra?
..or the windows user who invites scorpions into their home if they are holding up a "free titties" banner.
Dude,do you have ANY idea how totally Psycho you come off when you reply to yourself all the time like that? It makes me think of those homeless guys you see walking down the street arguing with themselves. Of course all your inner voices are all "good on you" so I don't know whether to be happy that at least your delusions are confrontational or sad for the fact that your head is full of yes men. But as always my 02c,YIVMV(your inner voices may vary)
ACs don't waste your time replying, your posts are never seen by me.
Well, you're getting off track here. You can comment on how M$ should make their APIs more clear... but your comments are pretty off base.
SO they did fix it. Open your fucking eyes. The blended flaw with IE is already fixed. Now theirs a blended flaw with Safari and Firefox. M$ can't fix Apple's shitty code on their OS.
Damn, that's the most genius comment on Slashdot all year.
Angry much?
Your summary for the article is wrong. I'd keep my head down in your position.
Microsoft have not fixed anything. Apple fixed the Safari "Carpet Bomb" issue.
The IE execution issue is still active. Rios is just pointing out that Firefox can also be used to exploit the Safari issue, if the current Safari patch is not deployed.
So just to re-cap: Apple's shitty code is fixed. Microsoft and Mozilla's shitty code needs fixing.
Posting a summary on Slashdot claiming that there is still an unfixed issue in Safari seems a bit like spreading FUD.
Except that NOTHING is clear:
http://xs-sniper.com/blog/
He is saying that the "Carpet Bomb" issue IS fixed, but that he is aware of three other methods to exploit interaction between Safari and Firefox.
He is giving out no details, no work-arounds and no advice on how to protect yourself. It's all a little bit vague.
I'm starting to suspect Shenanigans.
OHNOES THE TROLL ZOO!!!111!!!1!! Worried I'll threaten to kill you again, Twit?
You really are a complete prick.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
Who modded this guy insightful?
Who is this guy to think that the market should be catering to him instead of the millions of other people who aren't as wise with computers?
I think you are confusing stupidity with ignorance which is a big mistake. Just because someone isn't wise to all of the risks and no-nos in computers doesn't mean they are stupid. How much do you know about quantum physics or hispano-arabic literature? Because you lack knowledge in a field doesn't make you stupid.
The future of computers isn't every user learning so much more about computers but computers being more and more idiotproof. And these ignorant computer users are the majority of the market so guess where things are heading.
http://greenobyl.com/ please.... think of the children!!
No web browser should be able to download files to your computer without your approval.
NONE.
There is no excuse for this retarded behavior of Safari. No web browser except Safari ever allowed this.
I have a better solution.
How about people stop replying going "This is a Twitter sockpuppet!" because
a) Nobody fucking cares
b) if all of these names are supposedly sockpuppets, replying and pointing it out FEEDS THE TROLL.
Of course, expecting this to happen is futile, so all I've done is write a special greasemonkey script. Anyone that replies and points out supposed Twitter sockpuppets have their posts disappear from my view permanently, because not even adding foes is enough to block the idiocy.
"We need to get over this notion, that, for Apple to win... Microsoft must lose." - Steve Jobs, 1997
This should be easy to patch: STOP USING WINDOWS!!
Anti-Slash? That's fucking priceless. Neither you nor Slashdot are important enough for me to spend money on.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
Let's assume for a moment that you are not in fact twitter, but are merely some other person with an identical writing style, identical view points, and identical paranoia and who just happens to post in the same threads as twitter sockpuppets with an alarmingly high frequency.
Hello, ibane. Please, tell me why you think Microsoft would invest money in downmodding twitter, of all people. Think what you want about Microsoft, but the one thing we can all agree that they know is marketing and PR. They know better than to spend resources downmodding one troll on slashdot.
I assure you, if twitter's views are as popular as you say AND he stated them in an intelligent matter, no PR firm could possible silence him as you say. Enough moderators read slashdot raw and uncut that they would upmod twitter no matter what the PR firm did, and there is no way any PR firm could maintain control unless they held a majority of the active accounts on slashdot.
Honestly, though, I am most interested in hearing your logic as to how we are idiots for assuming that people with identical writing styles and identical views and who always post in the same threads as each other, often with surprisingly little time between each other's posts, are sockpuppets, but y'all are perfectly reasonable in believing that everyone who has ever disagreed with you is part of some PR firm who has a grudge against you.
Remember, open source is free as in speech, not free as in bear.
I've gotten tired of the entire twitter thing, too. You'll note that I'm not just calling out sockpuppets like everyone else. I'm proposing the easiest and most reasonable way to end this thing. It's far easier to convince a single person to stop than to convince the however many that are following twitter, plain and simple.
Remember, open source is free as in speech, not free as in bear.
Why is Microsoft like it is, greedy, criminal and focused on PR instead of product? Because it worked for them once and they are incapable of anything else.
Do you have a better reason for the attack on Peter Quinn? How about Peter Gutmann? Why does M$ hate, smear and seek the distruction of Google, Wikipedia, GNU/Linux and OLPC?
Microsoft is here and they have many accounts which they abuse. It's not easy for them but the comments section is filled with endorsments of their crap and flames for everyting people at Slashdot might like. Don't you think it's odd to find people saying good things about Vista when less than 10% of the general public wanted it and it is simply irrelevant to most Slashdot readers?
Like PJ said, people are not as dumb as Microsoft needs them to be.
Intellectual property was the desert property of the twenth century.
I'm not denying that they're focused on PR; it's rather obvious they are. but that's ignoring my question: why would they care about twitter? Twitter is a single voice on slashdot that already annoys people who are part of the Open Source movement. Slashdot, of all places. The prevailing opinions on slashdot are either pro-open-source or pro-use-whatever-tool-gets-the-job-done. It's not exactly like downmodding twitter would do _anything_ to help Microsoft. Unless Microsoft wanted to invest a significant amount of resources in being the primary voice on Slashdot, speaking to people they wouldn't be able to get through to in the first place, they really couldn't have a major effect on anything. No matter how PR-focused they are (ie, very), there's simply not enough benefit to be had here.
I know you're going to find this one shocking: Some people actually like Microsoft products and use them on a regular basis. Yes, even people not being paid by Microsoft. This one is also going to shock you: some people don't like GNU/Linux or other open source projects. Yes, even people not being paid by Microsoft. Not everybody thinks exactly like you. I'll give you a moment to actually think about that fact.
Have you processed that bit? Good.
Don't you think it's odd to find people saying good things about Vista when less than 10% of the general public wanted it and it is simply irrelevant to most Slashdot readers?
No, I don't. It makes sense. There are some people that like it that aren't paid by Microsoft. They don't have to be a significant percentage of people to even be heard on Slashdot. If you consider that not everybody think exactly the same way you do, it will start making sense to you, too. You may consider it an inferior product (as do I), but other people with different tastes don't. Or maybe they do, but consider it usable and will live with it because they need it for some work-related application or non-work-related games.
Not everybody who disagrees with you has to be paid off by somebody. Some people just have naturally differing opinion.
Remember, open source is free as in speech, not free as in bear.
No, of course you're not.
The twitter monologues. Click on my homepage and be amazed.
See twitter, here's the problem. You're carrying on a conversation with someone who is trying to get you to come to your senses, and the only thing you're capable of is to continue to claim Bill Gates has a personal vendetta against you, equate yourself with people who actually do contribute good things to free software, and continue to deny that you have no sockpuppets.
The premise of your argument is invalid, therefore everything else can be safely discarded as it is, just fluff. "M$" is not after some random Slashdot user. You were shunned by the community because of your extremism, and your response was to create 9 more accounts that shill each other and accuse everyone that disagrees with you (or points out your shilling) as being employed by Microsoft.
If you can't see the inherent problem in all this, then your paranoia is in fact real and not faked, and there's nothing anyone can do or say to help you.
The twitter monologues. Click on my homepage and be amazed.
but that's exactly what's going on. The OS fires off IE whenever certain special file names are present... ever... Microsoft's products know this and "just don't do that". Safari developers can't seriously be expected to remember every single special file ... but they allow unconfirmed downloads to a very common special directory.
The response from Microsoft was simply to "not download" those type of files... that was the official response!!! Apple responded with "don't run junk by default", our developers won't fix it, because OUR OS warns users of new programs so our Safari developers don't have to worry about blacklisting certain files from download.
It's right out of Dilbert with each PHB pointing to the corporate marketing directives and saying it's not "my" fault.
So the question stands that some how Safari's automatic download (maybe before the fix) can download something "special" effecting firefox that their developers are assuming would "never happen".
Surely I am. I get tired of fighting arguments about who's OS is better. It really doesn't matter, the point is that there's a security issue. My understanding is that IE has had a patch released, but I could be wrong on that, but either way it is on the way. Apple has "fixed" the Safari Carpet Bomb issue, but Rios has said that it is still not truly fixed and that there is still ways to place files in predictable locations. This came in communication with the author of the original article.
For example you could use OSX as your desktop operating system.
When I click on a hyperlink, I want what its linked to to come down..
what do you want me to do, plead with curse to give me my addons?!
The problem is not apple's problem, hell it's not even microsoft's.
the problem is these people are misrepresenting a hyperlink as a web page when it's really a direct download link.
This does not mean I should be nagged because people are too dumb to say "I didn't request this file so i wont open it"
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
Everyone who wasn't an idiot learned not to do this when they were a toddler and reached out to touch the stove coils because they were pretty and glowing.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
No web browser should be able to download files to your computer without your approval.
NONE.
There is no excuse for this retarded behavior of Safari. No web browser except Safari ever allowed this.
Except Internet Explorer, but it's not so kind as to leave evidence of its downloading on your desktop.The AC I was answering was stating that not using Windows will mean "all productivity will shut down" and quote:
"Year of the Linux Desktop" my ass. And I was answering to that.Besides, I use Opera on Windows, Linux and Mac OSX.
Discarding your paranoid fantasies of my employment by Microsoft, it's important to note that for years you were called once and again on the lies and fabrications you post to Slashdot, and all you did was insult everyone that questioned your righteousness, or simply try to ignore anything that made you uncomfortable. If anyone wants proof of this outside of Slashdot all they need to look at is this. You never did reply to Bruce Byfield there, did you? Of course not, because he ripped you a new one.
It's always the same, except that now you have to add the "I have no sockpuppets" byline.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
There is no clicking involved here - it is a web page that can just spontaneously execute Javascript to initiate a file download, which just spontaneously appears on your desktop, with no user interaction AT ALL.
It is an obvious opera flaw.
Safari has a lot of things wrong with it. Firefox is a much better system. -Alan B Fabian