digg

Facebook Connect Join Digg About

Apple OK with Safari's "Carpet Bombing" Vulnerability

theregister.co.uk — Next time you get nagged to install Apple's Safari browser keep this in mind: The company's security team has dismissed research that shows a simple way for miscreants to use the browser to litter an end user's machine with malicious files.

Who dugg this? Made popular May 16, 2008

submitted by

inactive May 15, 2008

675 diggs
digg

174 Comments

ToadLeg, on 05/16/2008, -3/+57It's not that they don't care about it, it's that they don't want to label it as a security vulnerability so that their statistics show fewer security vulnerabilities vs other browsers.

FTA: Someone on Apple's security team says: "Please note that we are not treating this as a security issue, but [we are going to fix the problem]"
topace3000, on 05/16/2008, -14/+56Yeah I'm sure apple just dismisses obvious problems with their products offhandedly.
roostersheep, on 01/16/2009, -7/+34"I have been in IT over 10 years" - Oh thanks for that. I was just about to disregard your opinion as rubbish, but since you've declared yourself an expert I've decided to reconsider.
shaffah, on 05/16/2008, -22/+42they really dont care
rdsmith1, on 05/16/2008, -6/+26The ignorance is strong in this thread.

"Poor macaphiles. The bloom is off the rose and now it's down to ugly. Can't wait to hear apple scream as their precious os gets torn apart by hackers and viruses." Troll much? Seriously, this same kind of thing is said every time there's a potential security threat or even the smallest vulnerability in any Apple application or any part of OS X, and nothing ever happens. Get a grip.

As for the "Carpet Bombing" vulnerability, it's only potentially a problem with the Windows version of Safari. First of all, .exe files obviously can't execute inside OS X, so that's out. Application files (.app) are NEVER downloaded directly, and as far as I know they can't be. Any image file that could contain a .app file would need to manually opened (unless you click the check-box in Safari that allows downloaded files to be opened automatically), and even then, whatever files are contained in the image can't be automatically executed. Whenever you open any image file that's downloaded through Safari, it tells you what kind of file you're opening, and depending on the type of installer used by the image file, you'll be prompted to enter your admin password before continuing. And on top of all that, any time that you execute a new application for the first time in Leopard, it tells you what browser was used to download it, what site it came from, and gives you the option to allow or cancel. There is no issue on the Mac side.

Granted, I don't use Safari in Windows that often, so I couldn't tell you exactly whether or not a downloaded executable would be able to just run itself automatically. However, I would imagine not since Safari stops and tells you when an executable is about to be opened. It would be nice to see Apple care a little bit more about whether the Windows versions of their software was as secure as the mac versions, that way you wouldn't have people assuming that just because it's one way in Windows, it must automatically be one way in OS X.

But hey, this is Digg, where Apple sucks just because, and nobody has to know anything or do any research before acting like they know what they're talking about.
diggymow, on 05/16/2008, -2/+18It should be fixed before it gets exploited. That's like saying if you could cure aids before no one got it you wouldn't bother because it wasn't a problem yet.
sensor, on 05/16/2008, -10/+24Name one modern printer that is not working on windows.
Neo829, on 05/16/2008, -1/+14Wait. Your company forces you to use Safari because you chose to use it to bypass your employer's filtering?

Yeah, that makes sense. Alternately, you could just get to work.
danjal, on 05/16/2008, -9/+20I think what you need to realise is, Mac Users like myself included are quite vain when it comes to attacks, we don't get them because were not the largest target of attacks.. however.. if we continue to live behind this smugness alone, we are going to get caught with our pants down and have nobody to complain too but ourselves.
ScionX, on 05/16/2008, -5/+13I myself don't use apples but they are awesome from a helpdesk pov. If something doesnt work, reboot. It fixes the issue a very large majority of the time.
chillypacman, on 05/16/2008, -4/+10IE is doing better than its competitors security wise: http://unlockforus.blogspot.com/2008/03/internet-e ...
potterboy, on 05/16/2008, -0/+8Proprietary? http://webkit.org/
hermes369, on 05/16/2008, -7/+15I think folks should read the source of the article; I followed the link:

http://www.dhanjani.com/archives/2008/05/safari_ca ...

The original author doesn't seem concerned enough to dismiss Apple as being irresponsible or holier-than-thou. It seems the Register is flame baiting.
rakslice, on 05/16/2008, -0/+7>Number one: It is very easy to change the download location, even in Windows. I think the desktop is a stupid place to download files to, personally. But many Windows users aren't too bright, so they probably wouldn't find them otherwise.

Er... The desktop was the traditional default download location for Mac browsers. Defaulting to a download folder is a relatively recent change.
starbird, on 05/16/2008, -0/+7legendxx, I believe it is the os, because, as an example, if I download handbrake today, but don't run it until tomorrow, and no browser is open, it still asks, and says "This file was downloaded from the internet on date and time"
netdroid9, on 05/16/2008, -2/+9Actually, Windows does this too, and has done since XP SP2.
MacParrot, on 05/16/2008, -0/+7SHHHHH! You'll confuse him. He's VERY busy destroying fascism
SteveMax, on 05/16/2008, -0/+6Actually, in Leopard the browsers save (or at least are supposed to save) a file's original URL in its metadata. When you first run something that has a "downloaded from" item in its metadata, Leopard shows a warning.
slantyeyed, on 05/16/2008, -6/+12or knowing apple and its fanboys, maybe it's a cover up?
gclef, on 05/16/2008, -0/+5They've always had an agenda...that agenda is to make fun of everything, with the occasional troll thrown in for fun. You can't really take *anything* from the Reg seriously.

On the other hand, since they don't give a damn about offending people, they'll sometimes come closer to the truth than the regular news outlets.
007isbond1, on 05/16/2008, -2/+7epic win... was the phrase you were looking for there =D
bkemper, on 05/16/2008, -0/+5"Your", not "You're". You are using it as a possessive (IT guys of you) but spelling it as a contraction of "you are".
ikenefick, on 05/16/2008, -13/+18Just use Firefox. It's a better browser, security is treated with priority, it's open source and has much more "useful" functionality. I'm not saying Firefox doesn't have issues - but it's a better choice.
VinceA, on 05/16/2008, -7/+10It does in Vista.... BTW, my printer (older DeskJet) works fine also. Of course, Vista does have its issues as do all OSes. Enough partisan squabbling.
ethamajin, on 05/16/2008, -2/+7did you know you can disable UAC? ...
doshindude, on 05/16/2008, -11/+15it's steve jobs, what do you expect? he doesn't give a ***** about. He just wants his monies from his ipod touch customers who mindlessly follow him.
strictnein, on 05/16/2008, -0/+4IE6 usage is at 20-30% (depending on the stats you look at) and falling fast.
Enron, on 05/16/2008, -2/+6Your iMac was literally torn to shreds by a hacker? What kind of cutting tool was he using?
Rassa, on 05/16/2008, -1/+5If you throw a laptop because of UAC nagging you, you have some other issues you should really get checked out.
mentor972, on 05/16/2008, -2/+6Oh, so like Microsoft's system of patches, right?
weir, on 05/16/2008, -0/+4Actually he's right. If you download a .app (assuming with your browser, torrent, ftp etc) when you first run it the OS asks you if you're OK with it running and lets you visit it's source to ensure it's safe, the browser itself does not ask you. Mind you Vista & XP do the same for exe's, so I'm not really sure what his argument is there.
phoomp, on 05/16/2008, -0/+4That may not be too far from the truth. iTunes for MacOS is written to run much smoother than iTunes for Windows ... I've no doubt that Apple has done this on purpose to make Macs appear faster.
protogenxl, on 05/16/2008, -1/+5But once they start using Quark you might as well just move your desk into marketing.
ieowqw, on 05/16/2008, -7/+11I am running Safari on my low end vista computer (1ghz) because it runs FASTER and more stable than firefox or IE.

Care to explain where it is slow and what the bugs are?
johnomaz, on 05/16/2008, -4/+8Did you even read the article? It said nothing about automatically running the file it downloads. The website can tell the browser to download all the files at once. Essentially, it could put 100 files in the download directory. The user has to run it themselves, and considering how stupid the majority of the computer user populus is, it will happen.

Think of all the wonderful e-mail attachments, that after repeated times being told to never open unusual attachments, people still do. This is worse. The download folder is where everything you purposfully downloaded ends up. If you see a file there, you are probably going to run it thinking you downloaded it for a reason at one point in time.

"Seriously, this same kind of thing is said every time there's a potential security threat or even the smallest vulnerability in any Apple application or any part of OS X, and nothing ever happens. Get a grip."
Yes, because having one of the worst filewall programs ever in the release of 10.5 was a small vulnerability, right? You tell it to block all incoming/outgoing ports and what does it do, leave a hand full still open, unprotected.

I forget the title of the story on Digg, but the story was of a company setting up three machines. A fully updated Vista machine, fully updated MacOS 10.5 machine and a fully updated Ubuntu Linux machine. Anyone was able to give it their shot to hack the machine, and place a file on the machine showing that it had been compromised. The Mac was hacked within 20 minutes. The Vista machine took about a day and a half. The Linux machine was still unhacked after a week. The hacker decided to stop trying though he found a handful of vulverabilities in the Linux machine, but didn't want to waste the time developing programs to exploit them.

MacOS is far from perfect, same as Windows, same as Linux. Linux has the advantage being open source. Anyone can help to resolve any issue in the code, as Mac and Windows need to be take care of by their respective companies

And for the record, I use Vista.
potterboy, on 05/16/2008, -0/+4What about using something like SeaMonkey or Firefox nightlies that are named differently?
rdsmith1, on 05/16/2008, -1/+5To be fair, and I should have put this in my original post, Internet Explorer and Firefox will both prompt you to allow running an executable, as well.

This likely isn't an issue on the Windows side, anyway. So, like someone said above, this seems more like flaimbait from the Register.
FutureGuy, on 05/16/2008, -5/+8I for one buried it as soon as I realized it was anti apple, its instinct or the mind control device they shipped with the last iTunes update.
MacParrot, on 05/16/2008, -0/+3Sure thing. There ya go buddy!
johnomaz, on 05/16/2008, -2/+5Except if you read the article, it stated it can happen on both Apple and PC.
WarezAppz, on 05/16/2008, -4/+6I am not sure what planet you are from, or what F'd up installation of XP OR Vista you were using, but if you are using either (Completely up-to-date) anytime you have an executable (*.exe) that you try to run from the internet (RUN, not save to) you are promptedat least once if Not TWICE to confirm you want to run it.

Put the crack pipe down and back away slowly . . . . .
moisie, on 05/16/2008, -2/+5Which virus did it have?
Acolyte357, on 05/16/2008, -0/+3How is forcing your computer to download any file I want as much as I want, not a security risk?
Hortnon, on 05/16/2008, -1/+4So, you can't name a modern printer, than?

If there aren't drivers for a printer, is it MS's fault? No, it's the greedy companies that want to force people to buy new printers by not allowing older products to work with new OS's. It's exactly what nVidia did to 3dfx users.
legendxx, on 05/16/2008, -0/+3I stand corrected. Thanks to those above.
nobelief, on 05/16/2008, -6/+8keep spreading the FUD
chillypacman, on 05/16/2008, -8/+11they realized they were sucking up too much to the mac fanboy crowd?
Arramol, on 05/16/2008, -1/+4This is a bit like the "But Clinton!" defense in political discussion. It's still a problem whether or not something else is an equal or greater offender. Personally, I find the attitude more interesting than the exploit itself.
bkemper, on 05/16/2008, -0/+3Sounds like you have an unusual problem. I've never seen that in my Safari on 10.5.
skyfex, on 05/16/2008, -0/+3I agree with rdsmith here. The register is making this out to be a lot worse than it is. And I don't think this should be labeled as a security bug. It's a feature that happens to be dangerous on Windows. Of course Apple should have thought of that though, made it an option and disabled it by default on Windows. Or they could give a warning when downloading an executable if they don't already.

I download a lot of files every day, and I prefer not to confirm every one, as I don't make a habit of visiting malicious websites (it's easy to avoid, at least 99,99% of the time).

I should mention I use Firefox and Opera on Windows, but I prefer Safari on Mac.
Show 51 - 100 of 177 discussions
Add a Comment

Login or register to comment!
Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.