May 20th, 2008
Apple under pressure to fix Safari 'carpet bomb' flaw
The Google-backed StopBadware.org coalition has called on Apple to rethink its stance on whether the Safari “carpet bomb” issue reported by Nitesh Dhanjani constitutes a serious security risk.
Dhanjani originally discovered than it is possible for a booby-trapped Web site to litter the user’s Desktop (Windows) or Downloads directory (~/Downloads/ in OSX) with executables masquerading as legitimate icons.
“This can happen because the Safari browser cannot be configured to obtain the user’s permission before it downloads a resource. Safari downloads the resource without the user’s consent and places it in a default location (unless changed),” Dhanjani said, warning that it could be used as a drive-by malware distribution mechanism.
[ See Nate's post for background ]
Apple has classified Dhanjani’s findings as more of an annoyance than a security risk that requires an immediate patch.
In the eyes of Apple’s security team, the user (target) would have to be complicit in an attack that causes a sufficiently high number of files to be downloaded. “It presents a risk of annoyance, at worst, [and] can be easily stopped by closing the browser.”
A source tells me that Apple will fix the issue in Safari 3.2, which is slated for release in the summer (September) this year.
However, StopBadware.org, a non-profit managed by Harvard Law School’s Berkman Center for Internet & Society and Oxford University’s Oxford Internet Institute, wants Apple to create and distribute a fix to protect end users.
StopBadware.org researcher Laureli Mallek writes:
StopBadware.org believes that users should have control over software being downloaded to their computers, and we encourage Apple to reconsider its stance and treat this as the security issue that it is.
The good news is that Apple will fix Safari’s handling of these types of issues as an enhancement for a future release. However, if we start seeing in-the-wild exploits using carpet-bombed desktop icons to trick users into installing malilcious executables, then Apple’s delay will be hard to justify.
In the meantime, Safari users — and all Web surfers — should always very careful about clicking on untrusted links that arrive via e-mail or instant messaging communications.
* Photo credit: aditza121’s Flickr photostream (Creative Commons 2.0).
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
