Slashdot Mirror

← Back to Stories (view on slashdot.org)

Safari "Carpet Bomb" Attack Still a Risk

Posted by kdawson on from the will-it-blend dept.

SecureThroughObscure writes "Just a short time after Apple's recent acknowledgment of and patch for the Safari Carpet Bomb 'blended' IE flaw, Microsoft researcher Billy Rios shows that Safari is still useful in a blended attack, this time with Firefox 2/3. (ZDNet's Nate McFeters also spread the word.) Rios claimed that he is able to use Carpet Bomb, despite the recent patch, to steal arbitrary files from victims who also have Firefox 2/3 installed. Both Rios and McFeters pointed out that Apple, which took some heat for not originally patching, actually did a good job of addressing the issue, as the code execution angle was not originally understood (the details came out later). Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue."

22 of 117 comments (clear)

  1. Re:News Flash: Windows is still a risk. by willyhill · · Score: 3, Informative
    Having been accused of being a sock puppet

    Assuming for a second you are not, it's very telling that your reply is exactly 2 minutes after twitter's post. More importantly, what exactly is the point of your reply? "Good on you"? More likely you are simply replying to your own post to see if you can bring attention to it, which is a game you've been playing for a while now.

    being blown out with malicious moderation

    I don't see anything malicious about this, you are being moderated negatively because you deserve it. It makes no difference how much you claim you are being "unfairly" targeted by misrepresenting and exaggerating what other people say about you.

    --
    The twitter monologues. Click on my homepage and be amazed.
  2. Is the headline a bit sensational? by LenE · · Score: 3, Insightful

    It implies that Safari still has major problems, while the summary clearly states that this issue (that was discovered in Safari), is now found to affect FireFox 2/3. Further, it implies a situation completely opposite of what is stated lower in the summary, that Apple did a good first pass at squashing the attack, and that it is now better understood.

    I think a more accurate headline would have stated that FireFox was found to be not immune to a security problem found in IE and Safari. Unfortunately, this would imply that there is a problem with an OSS piece of software (which will quickly be fixed).

    -- Len

    1. Re:Is the headline a bit sensational? by tehniobium · · Score: 5, Informative

      LenE has misunderstood it. The bug is a joint venture from firefox and safari, but firefox alone is not vulnerable to this. RTFA

      --
      No kitty, this is my pot pie!
    2. Re:Is the headline a bit sensational? by tehniobium · · Score: 3, Informative
      From TFA:

      I've discovered a way to use the Safari's carpet bomb in conjunction with Firefox to steal user files from the local file system.
      Notice the phrase "in conjunction" - that means you need to exploit the carpet bombing bug in safari...thereby uncovering a security problem in firefox that allows you to "steal" files.
      --
      No kitty, this is my pot pie!
    3. Re:Is the headline a bit sensational? by SecureThroughObscure · · Score: 2, Insightful

      So, there's a couple of issues here. The first is that you can place files on the user's desktop. This IS (or at least was) Safari's problem. All it takes is crafting a file that has an icon that looks like IE or your recycle bin, or whatever else and someone double-clicks to getting owned. The second issue becomes the blended attack. So using Safari to place the file, then something else to kick the file off. This is where IE originally came in, but Microsoft patched that, then now we have FF 2/3. I would not be surprised to see Opera have similar blended issues. So, the whole point is that our systems are becoming more complex with all of the options out there that are available to us. These interactions can lead to unexpected security issues.

    4. Re:Is the headline a bit sensational? by IrrepressibleMonkey · · Score: 3, Informative
      From the summary:

      Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue. From the article:

      Mozilla is working on the issue and they've got a responsive team, so I'm sure we'll see a fix soon.
      Telling people to RTFA doesn't really help. The Firefox issue that Mozilla is working on CAN be exploited with the now patched Safari "Carpet Bomb" bug.

      But that doesn't mean you NEED to use Safari to exploit the Firefox bug. Presumably you can use any method to download a rogue file to the users desktop.

      Sometimes you need to do more than RTFA. We're just trying to understand the issue.

      Clearly SecureThroughObscure does not. You seem to be over-simplifying as well.
    5. Re:Is the headline a bit sensational? by jackjeff · · Score: 2, Interesting

      I still fail to understand why downloading files to the desktop is a major security problem...

      That's quite funny that Microsoft urged Apple to fix this, whereas the actual failure was in IE7.

      It's not the job of Apple or Firefox (we don't know about this bug anyway) to fix everyone else (Microsoft) security problems.

  3. posting exploits of vulnerabilities by commodoresloat · · Score: 2, Interesting

    Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue. Seems sensible; I always thought this was standard practice with vulnerabilities. It helps ensure that at least the company who introduced the vulnerability has an opportunity to release a patch before the attack vectors are in the hands of every script kiddie around. It's definitely an approach the poster of this story should have considered.
    1. Re:posting exploits of vulnerabilities by bunratty · · Score: 5, Insightful

      It's called responsible disclosure. You'd be surprised at the number of people around here that advocate full disclosure, that is, telling the whole world all the details of a security problem as soon as you find it. The ones who advocate it keep saying it somehow allows users to protect themselves. On the other hand, it seems like everyone who practices full disclosure has a l33t hacker name and is looking for attention, and not at all concerned with anyone's security.

      --
      What a fool believes, he sees, no wise man has the power to reason away.
    2. Re:posting exploits of vulnerabilities by Vectronic · · Score: 5, Interesting

      Well, there is two sides to that coin...

      A "1337" user, may want full disclosure, so that he can patch his software immediately, and maybe other people who run the same software (White Hat)

      Another 1337 user, may patch his own software, and then begin to propagate a script to take advantage of unpatched software (Black Hat) which, could be for a sort of Grey Hat intention, "see? fix it!" or simply for malicious intent.

      The problem with Full Disclosure, is that you can't inform everyone, or update everything instantly, so it only helps those in the know (which isn't many), so partial/non-disclosure is generally better (in consumer products), but Full Disclosure would be appropriate for a closed network, non-consumer software.

      Somewhat redundant, but had to comment.

    3. Re:posting exploits of vulnerabilities by SecureThroughObscure · · Score: 2, Interesting

      It's not just that though. You make great points that an advanced user can likely find a work around for some issues and SHOULD have the right to fix an issue if possible (thus requiring full disclosure). The other thing to consider here, a lot of vendors are in the freaking prehistoric period when it comes to addressing issues. Originally, Apple decided NOT to fix this issue, because you could only put executable content on a user's desktop. I mean, by itself, that's still a big issue. When vendors take these approaches, it becomes easier for researchers to just drop an 0-day.

  4. Re:Somehow, I know MS/IE is behind the FF flaw by catwh0re · · Score: 2, Insightful

    To put it in terms of an exaggerated slashdot style analogy:
    With how MS worded the first attack. (Which was only made usable by faults in MS software.) It would be equivalent to MS shipping a piece of software that changed all your passwords to "password" if you installed Firefox or Safari. Then releasing a statement that reads something like "Firefox and Safari put Windows at a security risk."

  5. Maybe I'm missing something? by IrrepressibleMonkey · · Score: 3, Interesting

    Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue.

    It wouldn't be the first time I got the wrong end of the stick, but Rios blog seems to suggest that he has discovered a way to use the original "Carpet Bomb" issue with Firefox to steal user data.

    He states that Apple have fixed their part, but seems to be saying that he won't reveal the Firefox issue because...

    Mozilla is working on the issue and they've got a responsive team, so I'm sure we'll see a fix soon.
    So what are Apple supposed to be patching or responding to?

    Anyone else read the article (that way)?
    1. Re:Maybe I'm missing something? by 99BottlesOfBeerInMyF · · Score: 3, Informative

      It wouldn't be the first time I got the wrong end of the stick, but Rios blog seems to suggest that he has discovered a way to use the original "Carpet Bomb" issue with Firefox to steal user data.

      Yup, so if you can get a file onto the desktop, you can steal data from people with Firefox installed... in some unspecified way. At least that is how I read it.

      So what are Apple supposed to be patching or responding to?

      I don't see that Apple is supposed to be responding to anything at this point. I don't think his blog implied that they were.

  6. Re:News Flash: Windows is still a risk. by masterzora · · Score: 4, Informative

    Twitter, I have a reasonable request for you: please stop the sockpuppetry and, more importantly, please stop the trolling.

    You seem to take every chance you get to hijack a thread and turn it into Microsoft or Windows bashing, even when it's not the issue at hand. This doesn't help anybody. It especially doesn't help your cause of advocating Linux, and I don't know why you think it does. As a Linux user and advocate (Debian, lenny, if you must know), I wish you would stop. There are far more useful and intelligent ways to spread Linux.

    You also use your sockpuppets to try to lend legitimacy to your posts. This definitely doesn't help your cause at all. This pretty much only serves to disrupt slashdot and cause people to turn against you. Everything all of your sockpuppets say could just as easily be said by a single person. The more legitimate posts could definitely be said by a single person, and you might actually get modded up once in a while.

    Your habit of accusing everyone who disagrees with you an idiot or a paid troll doesn't help either. The former makes you appear to be an arrogant asshole, as it implies that your opinion is correct, period, and no other opinion is at all legitimate. The latter makes you appear paranoid. This definitely doesn't help you.

    So, I have one reasonable solution for you, and I highly suggest you take it: make one more new account. Stop using the twitter account and all of the sock puppets. Never mention twitter or the sock puppets with the new account. Pretty much, ignore your entire slashdot history. Stop hijacking threads into Microsoft bashing. Stop calling Microsoft "M$". I can't really instruct you to change your writing style, so it's entirely likely that people will catch on that it's you again.

    As long as you follow my advice in whole, they most likely won't call you on it. Most people here are reasonable, and they'll be happy to live and let live. Hell, if you follow my advice in full and people insist on stalking you, I will personally do my best to stop them. If that includes ruining their karma, so be it (I get 15 mod points at a rate of about once per week, so it wouldn't be particularly hard), but I'd rather not go that route.

    Please, just take this advice, and we can make Slashdot a better place for everybody.

    --
    Remember, open source is free as in speech, not free as in bear.
  7. The WoW Troll is relevant, problem btwn kb & c by plasmacutter · · Score: 2, Insightful

    The "carpet bombing" attack as i've heard it described is not a software flaw at all.

    so they build a site that initiates a large quantity of downloads to your computer.. so what.

    it's nothing more than being an a-hole web designer.

    the fact it ends up on your desktop is because the user didn't change the windows default settings, and anything that happens from that point on regarding "accidental execution" of one of these littered files is the user's fault.

    Why do we need a software nanny state. It's really disgusting that because of stupid people I have to go through 3 separate nags in osX in order to perform mundane tasks.

    I'm sorry but user stupidity is not a valid excuse to make every app behave like clippy! "are you sure you want to do this?" "really?" "are you absolutely sure?"

    --
    VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
  8. I don't think you are missing anything. by argent · · Score: 2, Insightful

    He says that the attack he has found can be made without the carpet bomb...

    Just as the attack on IE can.

    Apple fixing the download-without-prompt attack won't do anything to fix the underlying problem, that just having a file sitting around in the default download directory on Windows can lead to code execution.

    I suspect that the Firefox problem is similar.

  9. Re:Somehow, I know MS/IE is behind the FF flaw by mabhatter654 · · Score: 3, Insightful

    exactly, this is the fault of Microsoft using "secret" files do fire off IE in the background. Stuff like autoexec on CD roms might use this to start up the program when the directory becomes available. That's a STUPID action to take!!!! Microsoft's only response is RTFM (that we didn't write) and have every program that might download something check for that file name and not download it.

    Safari didn't respect the file systems "secret" files and to top it off downloads them without asking first, that in itself is a mistake... but again, it's something that Apple's software will block running until a user approves... that Microsoft doesn't support! Oh the fun!

    Wonder what the fun is with Firefox? By default Safari downloads to "desktop" so what special options would Firefox use if it was the default browser?

  10. Re:Somehow, I know MS/IE is behind the FF flaw by Animaether · · Score: 2, Interesting

    bah, if you want bad analogies...

    The first attack was more like this...

    Whenever you (the user) visit some guy's house (a website), I (Safari) will automatically dump scorpions all over your face (desktop). Luckily, they're quite docile little scorpions so as long as you don't touch them (run the downloaded files), you'll be fine.
    But then along comes my roommate (Internet Explorer), grabs one of the scorpions and plants it stinger smack dab on your jugular.

    Clearly, then, my roommate is to blame. So, never interact with my roommate and oh-by-the-way enjoy walking around with scorpions on your face.

    Did I mention that some of those scorpions are excellent at camouflaging themselves? They can make themselves look like the darndest and most benign things... perhaps they'll masquerade themselves as your glasses (some random program you tend to use a lot). You put on your glasses (run the program) like you do every day and *ZING*.

    But hey, you probably use an operating system (say, OS X) that I (Safari) runs on that doesn't just let you put your glasses on - perhaps it recognizes that they're not even your glasses, and warns you. Good for you! Say, how are all those scorpions down your pants (download directory) working out for you?

    But the above are really just bad analogies. Suffice to say that there's really no good reason to allow a website to litter your desktop -or- your downloads directory with a bunch of files.. but if you -can- think of one: great! you'll be one of those who will check the "allow websites to automatically download files to my computer" checkbox... once (if ever) that makes in, that is.

    =====

    Disclaimer: I like Apple (yes, dear commenter from a previous thread.. re-read my post. I do like Apple.), but they can suggest I install it all they want whenever QuickTime goes and updates itself, I'm not touching it - I'm quite fine with FireFox (2.. 'll wait for the v3 dust to settle.)

  11. One missing piece of the puzzle? by Penguinisto · · Score: 3, Insightful

    ...err, what is Microsoft doing to fix their end of the problem? I mean, this (IIRC) only works if the victim has Microsoft Windows as their OS.


    I mean, this isn't specifically to slam MSFT, but the guy who discovered this works... for Microsoft. The attack vector stops cold if the user is on OSX and/or Linux, but does work in Windows.


    So, umm... what's Microsoft doing about this (assuming they can), Mr. Rios?

    /P

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  12. Re:MSFT has to fix this. Windows security issue. by SecureThroughObscure · · Score: 2

    SO they did fix it. Open your fucking eyes. The blended flaw with IE is already fixed. Now theirs a blended flaw with Safari and Firefox. M$ can't fix Apple's shitty code on their OS.

  13. Re:MSFT has to fix this. Windows security issue. by IrrepressibleMonkey · · Score: 2, Informative

    Angry much?

    Your summary for the article is wrong. I'd keep my head down in your position.

    Microsoft have not fixed anything. Apple fixed the Safari "Carpet Bomb" issue.

    The IE execution issue is still active. Rios is just pointing out that Firefox can also be used to exploit the Safari issue, if the current Safari patch is not deployed.

    So just to re-cap: Apple's shitty code is fixed. Microsoft and Mozilla's shitty code needs fixing.

    Posting a summary on Slashdot claiming that there is still an unfixed issue in Safari seems a bit like spreading FUD.