Slashdot Mirror

← Back to Stories (view on slashdot.org)

Safari "Carpet Bomb" Attack Still a Risk

Posted by kdawson on from the will-it-blend dept.

SecureThroughObscure writes "Just a short time after Apple's recent acknowledgment of and patch for the Safari Carpet Bomb 'blended' IE flaw, Microsoft researcher Billy Rios shows that Safari is still useful in a blended attack, this time with Firefox 2/3. (ZDNet's Nate McFeters also spread the word.) Rios claimed that he is able to use Carpet Bomb, despite the recent patch, to steal arbitrary files from victims who also have Firefox 2/3 installed. Both Rios and McFeters pointed out that Apple, which took some heat for not originally patching, actually did a good job of addressing the issue, as the code execution angle was not originally understood (the details came out later). Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue."

3 of 117 comments (clear)

  1. Re:Is the headline a bit sensational? by tehniobium · · Score: 5, Informative

    LenE has misunderstood it. The bug is a joint venture from firefox and safari, but firefox alone is not vulnerable to this. RTFA

    --
    No kitty, this is my pot pie!
  2. Re:posting exploits of vulnerabilities by bunratty · · Score: 5, Insightful

    It's called responsible disclosure. You'd be surprised at the number of people around here that advocate full disclosure, that is, telling the whole world all the details of a security problem as soon as you find it. The ones who advocate it keep saying it somehow allows users to protect themselves. On the other hand, it seems like everyone who practices full disclosure has a l33t hacker name and is looking for attention, and not at all concerned with anyone's security.

    --
    What a fool believes, he sees, no wise man has the power to reason away.
  3. Re:posting exploits of vulnerabilities by Vectronic · · Score: 5, Interesting

    Well, there is two sides to that coin...

    A "1337" user, may want full disclosure, so that he can patch his software immediately, and maybe other people who run the same software (White Hat)

    Another 1337 user, may patch his own software, and then begin to propagate a script to take advantage of unpatched software (Black Hat) which, could be for a sort of Grey Hat intention, "see? fix it!" or simply for malicious intent.

    The problem with Full Disclosure, is that you can't inform everyone, or update everything instantly, so it only helps those in the know (which isn't many), so partial/non-disclosure is generally better (in consumer products), but Full Disclosure would be appropriate for a closed network, non-consumer software.

    Somewhat redundant, but had to comment.