On CHOW: Did you leave a huge tip?
BNET Business Network:
BNET
TechRepublic
ZDNet

June 19th, 2008

About-face: Apple patches Safari 'carpet bombing' bug

Posted by Ryan Naraine @ 2:23 pm

Categories: Apple, Arbitrary Code Execution, Browsers, Complex Attacks, Exploit code, Patch Watch, Responsible disclosure, Vulnerability research, Windows Vista

Tags: Ryan Naraine

About-face: Apple patches Safari 'carpet bombing' bugIn what amounts to a major about-face, Apple has patched the Safari “carpet bombing” vulnerability that led to a Safari-to-Internet Explorer remote code execution combo threat.

After insisting for weeks that the issue is more of an irritant than a security risk, Apple today released Safari v3.1.2 for Windows with a patch warning that saving untrusted files to the Windows desktop may lead to the “execution of arbitrary code.”

[ SEE: Apple under pressure to fix Safari flaw ]

From Apple’s advisory:

An issue exists in how the Windows desktop handles executables. Saving an untrusted file to the Windows desktop may trigger the issue, and lead to the execution of arbitrary code. Web browsers are a means by which files may be saved to the desktop. To help mitigate this issue, the Safari browser has been updated to prompt the user prior to saving a download file. Also, the default download location is changed to the user’s Downloads folder on Windows Vista, and to the user’s Documents folder on Windows XP. This issue does not exist on systems running Mac OS X.

The bulletin cites Microsoft’s security advisory on the combo-threat discovered by researcher Aviv Raff.

Safari v3.1.2 for Windows, available for Windows XP and Vista, also fixes at least three additional vulnerabilities that could lead to  information disclosure and code execution attacks.

One of the other three bugs also describes a combo threat that goes the other way –  Internet Explorer to Safari:

Visiting a malicious website which is in a trusted Internet Explorer zone may lead to the automatic execution of arbitrary code
Description:  If a website is in an Internet Explorer 7 zone with the “Launching applications and unsafe files” setting set to “Enable”, or if a website is in the Internet Explorer 6 “Local intranet” or “Trusted sites” zone, Safari will automatically launch executable files that are downloaded from the site. This update addresses the issue by not automatically launching downloaded executable files, and by prompting the user before downloading a file if the “always prompt” setting is enabled.

The IE-to-Safari threat was reported by Will Dormann of CERT/CC .

 [ SEE: Why Apple must fix Safari ‘carpet bombing’ flaw immediately ]

The browser refresh also plugs a memory corruption issue in WebKit’s handling of JavaScript arrays. “Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution,” Apple warned.

The fourth vulnerability is an out-of-bounds memory read that may occur in the handling of BMP and GIF images.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 34 Talkback(s)
I'm not cherry picking the facts
I'm asking where the bug for IE 7 has been reported. I haven't seen any other advisory indicating that other applications are having a problem with executing files without user consent. Second, what... (Read the rest)
Posted by: alaniane@... Posted on: 06/23/08 You are currently: a Guest | | Terms of Use
for PC  exxtraz | 06/19/08
for PC  aussieblnd@... | 06/20/08
RE: About-face: Apple patches Safari 'carpet bombing' bug  larry@... | 06/19/08
Link to Apple's advisory.  Ryan NaraineZDNet Moderator | 06/19/08
Translation  frgough | 06/19/08
Exactly  Confused by religion | 06/19/08
The Windows flaw isn't Apples code,  A Grain of Salt | 06/19/08
Correction. "Apple's code," (NT)  A Grain of Salt | 06/19/08
yes, correct, the IE flaw is still exploitable through other access points  jjarman | 06/20/08
isn't Apples code,  aussieblnd@... | 06/20/08
No, the flaw is in Apple's program  alaniane@... | 06/20/08
Just because there's a flaw in Win  tikigawd | 06/20/08
Just because there's a flaw in Win  aussieblnd@... | 06/20/08
What are you talking about?  tikigawd | 06/20/08
MS Fanboi Journalism  Jay4614 | 06/20/08
Apple Fanboi Journalist(wannabe)  daMan25 | 06/20/08
Nobody's saying Apple is immune  neiltaggart | 06/20/08
Aww, give Apple a break  tikigawd | 06/20/08
Apple Fanboi Journalist(wannabe)  aussieblnd@... | 06/20/08
I thought this was a new feature from Apple  ted185@... | 06/20/08
Wrong Conclusion (response to tikigawd's awww comment, sorry.)  jjarman | 06/20/08
You just spelled out what I read from Neiltag's post  tikigawd | 06/20/08
I UNDERSTAND what YOU are saying, that is NOT what either of us were saying  jjarman | 06/20/08
RE: About-face: Apple patches Safari 'carpet bombing' bug  mandehu@... | 06/20/08
What's the Win flaw anyway? (nt)  tikigawd | 06/20/08
see explanation below...  jjarman | 06/20/08
Thx  tikigawd | 06/23/08
I have to ask the question  laura.b | 06/20/08
So its really a vista flaw RE: About-face: Apple patches Safari  ralphrides | 06/20/08
IE 7's code execution flaw  jjarman | 06/20/08
Apple's advisory specifically states that Safari  alaniane@... | 06/22/08
Instead of cherry-picking just the facts you like, read the whole advisory.  bmerc | 06/23/08
I'm not cherry picking the facts  alaniane@... | 06/23/08
'carpet bombing' bug  trm1945 | 06/20/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Meet Doc