On OS X Leopard, any executable.app that is downloaded from the Internet requires your explicit permission in order to execute. So it does in Windows(even if downloaded through Firefox). It's just that Safari doesn't mark executables as 'Downloaded from the internet'. This has nothing to do with one OS vs. the other. It's just that Apple is not following proper Windows guidelines while Mozilla etc. do.
The real danger lies in the Apple fanboy's spin.
Firefox doesn't have this problem because they do it the proper way.
Safari doesn't mark files as dangerous.
Safari on Mac OS X doesn't need it - it's built into the Finder itself, so you get the warning regardless of what you used to download the app.
I think I have to agree with Apple on this. Flooding your download directory with crap is annoying as hell, and downloads should certainly be made optional for that reason. But it's not a security problem - the security problem is that Windows Explorer doesn't warn the user before running an unknown.exe. MSDN contains clear instructions on how to mark a executable as unsafe. It's not Windows Explorer's fault that Apple chose to ignore it. Whatever you try to spin it as, the security problem is that Safari allows crapflooding of user folders without user intervention aside from just visiting a webpage. Otherwise Firefox/Opera would have this 'problem' too, not just Safari.
Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. You mean Apple actually has a HIG team for Windows applications like Quicktime, iTunes and Safari?????
"Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you."
With hundreds of files on your desktop, what are the odds you'd hit one when you are just blanking out a selection, or deleting them, or frustratingly smack your mouse for [whatever reason] That makes it easier to do with all the blurry fonts in Safari messing up your eyes!
(I know Mac users like the thick fonts, but please spare the Windows users who like the sharp fonts).
Wrong, Apple has been installing Safari on Windows users machine disguised as an update to iTunes/Quicktime. And iTunes has hundreds of millions of users. Even if 5% of them use Safari, it's a pretty big demographic.
Oh, I see. So, the auto-download feature doesn't "properly" tag them like IE7 does, so users might accidentally execute a program without being first informed it was downloaded? Gosh. Sounds less like a security vulnerability than MS blowing smoke. It sounds more like you're blowing smoke. IE doesn't auto-download files like Safari does. So all this stuff about tagging is at best a red herring you're trying to distract people with.
Oh, well now it's sounding more like it'll be downloaded *and* executed automatically. Of course, if that's the case, half the "security vulnerability" is in Window's automatically executing things. If not, MS is simply lying..unless they have proof that Safari is the one causing said automatic execution. Remember, security is all about layers. Not downloading stuff that the user didn't ask to download is one layer. This vulnerability broke that layer, hence makes it easier to break security. One way is that users like clicking on shiny icons. The other is that, another as-yet unknown low impact vulnerability can make this a deadly driveby exploit that can delete all your documents and pictures with one visit to a website in Safari. And Apple refuses to acknowledge this as serious.
You can tell Safari to put downloaded files where ever you want.
So they don't have to be on the desktop How can I tell Safari to put downloaded files in/dev/null ?
isn't the main reason for Safari being on Windows is so that developers can test web pages for iPhone compatibility?
OTOH, there's the whole thing with Apple Update on Windows pushing Safari at you, so that must no longer be true. No. It isn't. Look here. And before you say it was an oversight, remember, Jobs goes over every word and picture of his presentations with a zeal bordering on OCD.
One other thing that hit me immediately... MS: "Omigod they found a BUG in our competitor's web browser! Because we're very concerned for our users' security, we urge you to stop using that browser immediately! Users should NEVER use a buggy web browser! (unless it's explorer)" Safari has been sneaked into millions of computers by Apple disguised as a iTunes/Quicktime update. Guess who gets the blame for all the spyware and exploits that get loaded up on Windows by Safari. Hint: You see hundreds of highly moderated comments on Slashdot blaming said entity whenever there's an article about spyware/virues/malware.
Alright twitter, I won't call you names. Just give me one, just one link that can exploit a vulnerability that will exploit a fully patched IE 7 on Vista. Or are you just going to continue ranting about exploits in Dos 6.22 as well?
IE on Vista runs in a sandbox which no other browser on any OS does. So can you tell us about one, just one disclosed known vulnerability what lets IE(patched with latest windows updates) execute malicious content without warning? Or are you full of hot air?
PS: (I use Opera)
I think most people have the opposite experience here.
At least, even if I don't break windows, it tends to break itself. Are you stuck in the last decade or something? My XP install from 2002 still works fine inspite of 24/7(reboot only for updates) heavy usage. I have so many apps installed that the start menu almost goes off the screen. I never had to repair or reinstall Windows. 2K/XP/Vista are extremely stable with proper drivers. 95/98/ME on the other hand... the lesser said the better.
How are they going to mess up your database with read-only access? They could run intensive queries, I guess. But unless you've got million+ row tables that are being accessed concurrently by tens of clients, this shouldn't be much of a problem.
Anyway, just enable logging and look through what they've been doing in case it's anything stupid. I used to work for a large insurance firm and we'd get a call minutes after doing against the database we shouldn't. I think the only problem would be that changes to improve the schema design would be more difficult to make because there would be pressure from the client not to break their existing adhoc queries that they already wrote and now run for new data.
-1, Wrong as of Leopard. Only wrong if you're under the influence of RDF and can't think for yourself. For the rest of us, the Leopard kernel is 32bit.
You're thinking of Tiger, I think. Leopard is fully 64-bit.
http://www.apple.com/macosx/technology/64bit.html You expect Apple to reveal on their website that the kernel runs in 32bit? Can you give a more credible link showing that the kernel is 64bit and the OS is fully 64bit? The ability of fanboys and moderators to change reality on Slashdot is amazing.
What the? On Vista, you are always asked for an administrative password to do administrative stuff. If the current user is an admin, that's you're own password, Where did you get this idea from? Just google search images for UAC prompt since I don't think you will believe me anyway.
I'm only pointing out that it is irrelevant whether the vulnerability was in Flash or in Windows, or even in Firefox, since the problem is the same: Windows is still carrying the baggage of a single-user system and as long as that is the case it will be easier to exploit. UAC does raise the barrier, but addresses a problem that only exists on Windows, since that OS still does not properly compartmentalize users the way other OSs do.
What the hell? Do you only read highly moderated Slashdot comments for all your information on Windows or what? One exploit in Firefox or Flash on Linux(default config on all major distros) can completely and silently wipe away all your user files or ftp them to Nigeria. All your smug talk about proper compartmentalization in "other OSes" won't help shit to stop that. Can you tell us what exactly on Linux would prevent the same hole in flash(or in Firefox) from shitting all over your user directory?
UAC does raise the barrier, but addresses a problem that only exists on Windows, since that OS still does not properly compartmentalize users the way other OSs do.
UAC is basically sudo and like the root password prompts that come up under GUI in Linux, except that MS didn't think that it would make sense to prompt a user already designated as a admin to enter the password because the vast majority of their users run in a single user environment. If the user is not an admin, then the admin password is prompted for. Can your provide some references for how windows not properly com
Contrast that to IE7 on Vista. Read this . It's in part a implemtation of the Biba security model . So a similar vulnerability in IE7 or any of its plugins(including Flash) will only be able work in sandbox that prevents access to anything but low risk files like temporary internet files.
From the linked article:
Internet-facing applications such as browsers are inherently at a higher security risk than other applications because they can download untrustworthy content from unknown sources. IE7s Protected Mode leverage's Windows Vistas UAC, MIC and UIPI features to boost browser security. In IE7s Protected Modewhich is the default in other than the Trusted security zonethe IE process runs with Low rights, even if the logged-in user is an administrator. Since add-ins to IE such as ActiveX controls and toolbars run within the IE process, those add-ins run Low as well. The idea behind Protected Mode IE is that even if an attacker somehow defeated every defense mechanism and gained control of the IE process and got it to run some arbitrary code, that code would be severely limited in what it could do. Almost all of the file system and registry would be off-limits to it for writing, reducing the ability of an exploit to modify the system or harm user files. The code wouldn't have enough privileges to install software, put files in the user's Startup folder, hijack browser settings, or other nastiness.
So in order for the exploit on Flash to work on Vista SP1, it must have been run on Firefox/Opera/Safari/ OR it must have been run on IE7 and broken through the sandbox(quite possible, but the news shouldn't be about not only a exploit in Flash, but another one in Windows as well). THAT is the point of your parent post. And no, this is not an assumption. It's a fact even if you bury your head in sand.
My own logic is sound. But I suggest that next time you feel like discussing such things, you rely on facts and leave assumptions at the door. I don't know what is worse, your lack of basic knowledge of what you're talking about or your smug self-superiority and overconfidence in the OS that you chose and your 'M$ sucks' zealotry.
Besides, they were using the default browser - the browser which is held as the most secure and reliable one by OS creators. On the third day of contest you were able to install other browser too. Isn't that sort of a contradiction? The parent meant they might have used a third party browser on the third day. Then you say they were using the default browser... except on the third day. What's your point again? I don't get it. You simply say what your parent's saying, except in a confusing way that can be misunderstood as if they were using only the default browser on the third day.
Good luck getting your background app through the Apple certification process to get on the iPhone store, almost the only way to make it availably for 99% of the users.
Slashdot Mirror
The real danger lies in the Apple fanboy's spin. Firefox doesn't have this problem because they do it the proper way. Safari doesn't mark files as dangerous.
Only tranvestites will like those.
Wrong, Apple has been installing Safari on Windows users machine disguised as an update to iTunes/Quicktime. And iTunes has hundreds of millions of users. Even if 5% of them use Safari, it's a pretty big demographic.
Alright twitter, I won't call you names. Just give me one, just one link that can exploit a vulnerability that will exploit a fully patched IE 7 on Vista. Or are you just going to continue ranting about exploits in Dos 6.22 as well?
Maybe they're worried because Apple is pushing Safari on hundreds of millions of unsuspecting users disguised as a iTunes and Quicktime update?
IE on Vista runs in a sandbox which no other browser on any OS does. So can you tell us about one, just one disclosed known vulnerability what lets IE(patched with latest windows updates) execute malicious content without warning? Or are you full of hot air? PS: (I use Opera)
And the remaining are IRC clients.
Maybe by using a different browser like Firefox? Those prompts come up only with IE7 protected mode or user processes requesting admin privileges.
What the hell? Do you only read highly moderated Slashdot comments for all your information on Windows or what? One exploit in Firefox or Flash on Linux(default config on all major distros) can completely and silently wipe away all your user files or ftp them to Nigeria. All your smug talk about proper compartmentalization in "other OSes" won't help shit to stop that. Can you tell us what exactly on Linux would prevent the same hole in flash(or in Firefox) from shitting all over your user directory?
UAC does raise the barrier, but addresses a problem that only exists on Windows, since that OS still does not properly compartmentalize users the way other OSs do.UAC is basically sudo and like the root password prompts that come up under GUI in Linux, except that MS didn't think that it would make sense to prompt a user already designated as a admin to enter the password because the vast majority of their users run in a single user environment. If the user is not an admin, then the admin password is prompted for. Can your provide some references for how windows not properly com
Contrast that to IE7 on Vista. Read this . It's in part a implemtation of the Biba security model . So a similar vulnerability in IE7 or any of its plugins(including Flash) will only be able work in sandbox that prevents access to anything but low risk files like temporary internet files.
From the linked article: Internet-facing applications such as browsers are inherently at a higher security risk than other applications because they can download untrustworthy content from unknown sources. IE7s Protected Mode leverage's Windows Vistas UAC, MIC and UIPI features to boost browser security. In IE7s Protected Modewhich is the default in other than the Trusted security zonethe IE process runs with Low rights, even if the logged-in user is an administrator. Since add-ins to IE such as ActiveX controls and toolbars run within the IE process, those add-ins run Low as well. The idea behind Protected Mode IE is that even if an attacker somehow defeated every defense mechanism and gained control of the IE process and got it to run some arbitrary code, that code would be severely limited in what it could do. Almost all of the file system and registry would be off-limits to it for writing, reducing the ability of an exploit to modify the system or harm user files. The code wouldn't have enough privileges to install software, put files in the user's Startup folder, hijack browser settings, or other nastiness.So in order for the exploit on Flash to work on Vista SP1, it must have been run on Firefox/Opera/Safari/ OR it must have been run on IE7 and broken through the sandbox(quite possible, but the news shouldn't be about not only a exploit in Flash, but another one in Windows as well). THAT is the point of your parent post. And no, this is not an assumption. It's a fact even if you bury your head in sand.
My own logic is sound. But I suggest that next time you feel like discussing such things, you rely on facts and leave assumptions at the door. I don't know what is worse, your lack of basic knowledge of what you're talking about or your smug self-superiority and overconfidence in the OS that you chose and your 'M$ sucks' zealotry.Good luck getting your background app through the Apple certification process to get on the iPhone store, almost the only way to make it availably for 99% of the users.