May 29th, 2008

Why Apple must fix Safari 'carpet bombing' flaw immediately

Posted by Ryan Naraine @ 12:41 pm

Categories: Apple, Arbitrary Code Execution, Browsers, Data theft, Exploit code, Hackers, Patch Watch, Punditocracy, Responsible disclosure, Spyware and Adware, Viruses and Worms, Vulnerability research

Tags: Apple Safari, Vulnerability, Apple Inc., Flaw, Desktops, Security, Hardware, Ryan Naraine

Apple makes a big deal — and lots of funny commercials — around the security profile of its products.  On the Safari download site,  the boast is that users get “worry-free Web browsing on any computer” because, in Cupertino’s words, “Apple engineers designed Safari to be secure from day one.”

The company has done a nice job of adding exploit prevention mechanisms (ALSR and NX on Vista) to some of its Internet-facing products but when it comes to responding to legitimate security threats, Apple is light years away from living up to the messages in those commercials.

The Safari “carpet bombing” vulnerability is one current example of Apple really missing the boat about a serious issue affecting its customers.

Some quick background: Researcher Nitesh Dhanjani responsibly reports to Apple than it is possible for a malicious Web site to litter the user’s Desktop (Windows) or Downloads directory (~/Downloads/ in OSX) with executables masquerading as legitimate icons.

[ SEE: Apple under pressure to fix Safari ‘carpet bomb’ flaw ]

This happens because the Safari browser cannot be configured to obtain the user’s permission before it downloads a resource. Safari downloads the resource without the user’s consent and places it in a default location (unless changed).

Imagine using Safari on Windows to browse to a booby-trapped Web site and this happens to your desktop:

Now, think through the ramifications.  Dan Kaminsky, via Twitter, puts it best:

Standard user rights are required to write to desktop. You know what else standard user gets to do? RUN CODE.

And another tweet from a clearly frustrated Kaminsky:

Adobe wouldn’t call arbitrary desktop write not a problem. Sun wouldn’t. HP wouldn’t. Mozilla wouldn’t. Apple is not special.

Arbitrary desktop write is a serious security vulnerability. It’s not a mere irritant, as Apple contends.  This is a security flaw that needs to be fixed immediately instead of an enhancement request to come in a future upgrade.

As Robert Hensing explains, what happens when malicious hackers figure out that the “carpet bombing” bug could be chained to another vulnerability to do some serious damage?

Think about it:  A combo-attack where Dhanjani’s Safari vulnerability is used to drop a nasty executable on your desktop and another (known or unknown) vulnerability used to run it.   Instant drive-by malware installation!

With this Safari flaw, the bad guys are 50% of the way to direct code execution of whatever binary they chose to run . . . all they have to do is find a way to get that dropped binary to run.  Will it happen?  Time will tell I suppose . . . seems rather risky to leave this vulnerability out there when it seems like it would probably be a rather easy fix.

Secure from day one?  Impossible.  Now, Apple, do something about it.

Meanwhile, if you use Safari on Windows, I have one piece of advice:  Don’t.