Slashdot Mirror
Safari "Carpet Bomb" Attack Still a Risk
SecureThroughObscure writes "Just a short time after Apple's recent acknowledgment of and patch for the Safari Carpet Bomb 'blended' IE flaw, Microsoft researcher Billy Rios shows that Safari is still useful in a blended attack, this time with Firefox 2/3. (ZDNet's Nate McFeters also spread the word.) Rios claimed that he is able to use Carpet Bomb, despite the recent patch, to steal arbitrary files from victims who also have Firefox 2/3 installed. Both Rios and McFeters pointed out that Apple, which took some heat for not originally patching, actually did a good job of addressing the issue, as the code execution angle was not originally understood (the details came out later). Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue."
Assuming for a second you are not, it's very telling that your reply is exactly 2 minutes after twitter's post. More importantly, what exactly is the point of your reply? "Good on you"? More likely you are simply replying to your own post to see if you can bring attention to it, which is a game you've been playing for a while now.
being blown out with malicious moderation
I don't see anything malicious about this, you are being moderated negatively because you deserve it. It makes no difference how much you claim you are being "unfairly" targeted by misrepresenting and exaggerating what other people say about you.
The twitter monologues. Click on my homepage and be amazed.
It implies that Safari still has major problems, while the summary clearly states that this issue (that was discovered in Safari), is now found to affect FireFox 2/3. Further, it implies a situation completely opposite of what is stated lower in the summary, that Apple did a good first pass at squashing the attack, and that it is now better understood.
I think a more accurate headline would have stated that FireFox was found to be not immune to a security problem found in IE and Safari. Unfortunately, this would imply that there is a problem with an OSS piece of software (which will quickly be fixed).
-- Len
It's called responsible disclosure. You'd be surprised at the number of people around here that advocate full disclosure, that is, telling the whole world all the details of a security problem as soon as you find it. The ones who advocate it keep saying it somehow allows users to protect themselves. On the other hand, it seems like everyone who practices full disclosure has a l33t hacker name and is looking for attention, and not at all concerned with anyone's security.
What a fool believes, he sees, no wise man has the power to reason away.
Well, there is two sides to that coin...
A "1337" user, may want full disclosure, so that he can patch his software immediately, and maybe other people who run the same software (White Hat)
Another 1337 user, may patch his own software, and then begin to propagate a script to take advantage of unpatched software (Black Hat) which, could be for a sort of Grey Hat intention, "see? fix it!" or simply for malicious intent.
The problem with Full Disclosure, is that you can't inform everyone, or update everything instantly, so it only helps those in the know (which isn't many), so partial/non-disclosure is generally better (in consumer products), but Full Disclosure would be appropriate for a closed network, non-consumer software.
Somewhat redundant, but had to comment.
It wouldn't be the first time I got the wrong end of the stick, but Rios blog seems to suggest that he has discovered a way to use the original "Carpet Bomb" issue with Firefox to steal user data.
He states that Apple have fixed their part, but seems to be saying that he won't reveal the Firefox issue because...
Mozilla is working on the issue and they've got a responsive team, so I'm sure we'll see a fix soon.
So what are Apple supposed to be patching or responding to?
Anyone else read the article (that way)?
Twitter, I have a reasonable request for you: please stop the sockpuppetry and, more importantly, please stop the trolling.
You seem to take every chance you get to hijack a thread and turn it into Microsoft or Windows bashing, even when it's not the issue at hand. This doesn't help anybody. It especially doesn't help your cause of advocating Linux, and I don't know why you think it does. As a Linux user and advocate (Debian, lenny, if you must know), I wish you would stop. There are far more useful and intelligent ways to spread Linux.
You also use your sockpuppets to try to lend legitimacy to your posts. This definitely doesn't help your cause at all. This pretty much only serves to disrupt slashdot and cause people to turn against you. Everything all of your sockpuppets say could just as easily be said by a single person. The more legitimate posts could definitely be said by a single person, and you might actually get modded up once in a while.
Your habit of accusing everyone who disagrees with you an idiot or a paid troll doesn't help either. The former makes you appear to be an arrogant asshole, as it implies that your opinion is correct, period, and no other opinion is at all legitimate. The latter makes you appear paranoid. This definitely doesn't help you.
So, I have one reasonable solution for you, and I highly suggest you take it: make one more new account. Stop using the twitter account and all of the sock puppets. Never mention twitter or the sock puppets with the new account. Pretty much, ignore your entire slashdot history. Stop hijacking threads into Microsoft bashing. Stop calling Microsoft "M$". I can't really instruct you to change your writing style, so it's entirely likely that people will catch on that it's you again.
As long as you follow my advice in whole, they most likely won't call you on it. Most people here are reasonable, and they'll be happy to live and let live. Hell, if you follow my advice in full and people insist on stalking you, I will personally do my best to stop them. If that includes ruining their karma, so be it (I get 15 mod points at a rate of about once per week, so it wouldn't be particularly hard), but I'd rather not go that route.
Please, just take this advice, and we can make Slashdot a better place for everybody.
Remember, open source is free as in speech, not free as in bear.
exactly, this is the fault of Microsoft using "secret" files do fire off IE in the background. Stuff like autoexec on CD roms might use this to start up the program when the directory becomes available. That's a STUPID action to take!!!! Microsoft's only response is RTFM (that we didn't write) and have every program that might download something check for that file name and not download it.
Safari didn't respect the file systems "secret" files and to top it off downloads them without asking first, that in itself is a mistake... but again, it's something that Apple's software will block running until a user approves... that Microsoft doesn't support! Oh the fun!
Wonder what the fun is with Firefox? By default Safari downloads to "desktop" so what special options would Firefox use if it was the default browser?
...err, what is Microsoft doing to fix their end of the problem? I mean, this (IIRC) only works if the victim has Microsoft Windows as their OS.
I mean, this isn't specifically to slam MSFT, but the guy who discovered this works... for Microsoft. The attack vector stops cold if the user is on OSX and/or Linux, but does work in Windows.
So, umm... what's Microsoft doing about this (assuming they can), Mr. Rios?
Quo usque tandem abutere, Nimbus, patientia nostra?