This is bad news for all eleven Safari-on-Windows users… Apple’s been making hay in its Mac vs. PC ads about Windows’ security and malware problems. But now that Apple’s playing in Microsoft’s sandbox with a Windows version of the Safari Web browser, the worm has turned.
The Windows version of Safari has a bug that’s been dubbed the “carpet bombing” flaw. It would allow a Web site to place an infinite number of shortcuts on a user’s desktop — the default download location in the Windows version — effectively covering the screen with links to potentially harmful Web sites or code. The same flaw exists in the Mac version, except that the default download location in the Mac OS is the user’s downloads folder.
Security research Nitesh Dhanjani, who discovered the flaw, posted this disturbing screen shot to illustrate what could happen:
Amazingly, Apple has said they don’t feel the need to fix this issue right now. In an e-mail to Dhanjani, who suggested Safari require the user to manually approve any downloads, Apple said such a fix may never be implemented!
…the ability to have a preference to “Ask me before downloading anything” is a good suggestion. We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.
And this is in a piece of software that Apple has aggressively pushed out to Windows users in a manner that some have called deceptive.
Now, Microsoft has issued a security alert regarding the flaw, calling it a “blended threat.” Microsoft isn’t supplying technical details about just how the threat works, but does provide some basics:
What causes this threat?
A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user’s machine without prompting, allowing them to be executed. Safari is available as a stand-alone install or through the Apple Software Update application.
What might an attacker use this function to do?
An attacker could trick users into visiting a specially crafted Web site that could download content to a user’s machine and execute the content locally using the same permissions as the logged-on user.
Among the company’s recommendations: Don’t use Safari on Windows.
â€¢ Restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.
There’s also a workaround: Change the default location for downloads in Safari to a folder other than the Desktop. To do that, click Edit, Preferences, the General icon, then click the dropdown next to “Save downloaded files to:” and choose a different folder.
I suspect not a lot of Windows users are big Safari users. It’s more apt to be used by those who prefer Macs but are saddled with a Windows machine, or Web developers who want to see how their sites look and behave under Safari. However, the flaw affects both the Mac and Windows versions, and needs to be fixed. That Apple is brushing this off is surprising, given that it’s normally good about jumping on security issues.
Ryan Naraine of ZDNet’s Zero Day blog paints a convincing picture of just how bad this could be:
As Robert Hensing explains, what happens when malicious hackers figure out that the “carpet bombing” bug could be chained to another vulnerability to do some serious damage?
Think about it: A combo-attack where Dhanjani’s Safari vulnerability is used to drop a nasty executable on your desktop and another (known or unknown) vulnerability used to run it. Instant drive-by malware installation!
With this Safari flaw, the bad guys are 50% of the way to direct code execution of whatever binary they chose to run . . . all they have to do is find a way to get that dropped binary to run. Will it happen? Time will tell I suppose . . . seems rather risky to leave this vulnerability out there when it seems like it would probably be a rather easy fix.
Ironically, Microsoft gets it, and Apple doesn’t. Hey, Apple: Do the right thing, mmm-kay?
Companies who release glass browsers shouldn’t throw stones.
Related Posts: On this day...
- The Underground Website Where You Can Buy Any Drug Imaginable (made possible by Bitcoin) - 2011
- Supreme Court: Suspects must explicitly invoke Miranda rights - 2010
- Google to employees: "Mac or Linux... but no more Windows" - 2010
- Ubuntu To Pull In New Versions Of Firefox - 2010
- Secrets of the crystal skull - 2010
- Fish: Kids pirate adventure book is great for adults too - 2010
- Google van: "We'll come back and get this street later." - 2009
- HOWTO: Recovering Deleted Files With lsof - 2009