back to article Apple okay with Safari 'carpet bombing' vuln for now

Next time you get nagged to install Apple's Safari browser keep this in mind: The company's security team has dismissed research that shows a simple way miscreants can use the browser to litter an end user's machine with malicious files. According to researcher Nitesh Dhanjani, Safari doesn't bother to ask for user permission …

COMMENTS

This topic is closed for new posts.
  1. Andre Thenot
    Boffin

    Only a problem on Windows Safari

    On the mac side of things, the downloaded files trigger an alert box warning the user they're about to launch/open for the first time a file downloaded from the internet and specifies the URL and date/time it was downloaded. So in other words, they rely on the Finder to do the user notification at launch time.

    In a way, this similar to Perl's tainted mode where data from the outside is accepted but flagged "untrusted".

    Since Windows Explorer doesn't do this, the warning needs to be done by any app doing the download. So the Windows Safari should probably differ from the mac version in handling this.

  2. Greg

    Not a security issue?

    Allowing websites to download whatever they like to the machine isn't a security issue? Jesus! MS might take forever to develop a patch, they might even try to blame someone else, but at least they would acknowledge the bug!

  3. ImaGnuber

    Not a Security Issue

    "We want to set your expectations that this could take quite a while, if it ever gets incorporated."

    That attitude and what it reveals about their take on security now means the same can now be said about any chance of me buying one of their products. Too bad. I was seriously considering it.

    "So, we've lit a candle in their honor."

    Careful. If we all honour the memory of this once great (or at least interesting) company we might make global warming a reality.

  4. J
    Jobs Horns

    Re: Only a problem on Windows Safari

    Either way, unacceptable. Browsers shouldn't be downloading files automatically (and putting them on non-cache places) to begin with. They should ask *before* downloading.

  5. Anonymous Coward
    Anonymous Coward

    Hmm...

    Isn't it nice when stuff just works?

  6. Anonymous Coward
    Flame

    Where's a mac fan boy when you need one!

    'nough said!

  7. Damien Jorgensen
    Jobs Horns

    RE: Andre Thenot

    Aye Safari shouldnt be "given" to Windows users.

    Apple = Plonkers

  8. Daniel B.
    Alert

    Ask before you download

    You mean, this browser downloads anything without asking? Even Firefox, that has its annoying "download all to Desktop" 'feature' by default, will ask you if you want to download. Basic rule since the advent of the web browser.

    Having first-time-run checks may be nice, but I could easily see this as a potential DoS attack: a malicious page could do an infinite loop that makes Safari download craploads of files 'till the harddisk fills up. Thanks to JavaScript, this might even happen background, and the user wouldn't realize it until its too late...

  9. Chris

    Re: Only a problem on Windows Safari

    > Since Windows Explorer doesn't do this

    It can do - as long as you've got XP SP2 (and the downloaded file is on an NTFS formatted volume) - IE will set an alternate data stream on a file downloaded from the Internet. When the file is opened, the shell warns the user. It doesn't say when and where it was downloaded from, however, but it at least does something.

    I don't know why alternative browsers in Windows don't set this simple flag on downloaded files!

  10. KenBW2
    Linux

    Ah the bliss

    Apple? Microsoft? They're as bad as each other. I'm happy to be free of such bickering since I installed Linux 6 months ago, and I've never looked back.

    Maybe we should do an experiment where we find out which of the three are most secure. Oh wait...

  11. Chris C

    re: Not a security issue?

    "MS might take forever to develop a patch, they might even try to blame someone else, but at least they would acknowledge the bug!"

    Have they ever acknowledged Vista's "Long Goodbye" bug (the one where simply copying, moving, or deleting a file sometimes takes forever)?

    But more on-topic, I do agree with you about Apple. For them to not consider this a security vulnerability is ludicrous. Being able to download any file onto the user's system (even if it is only in the default download directory) is a huge security vulnerability. This isn't the 70s or 80s anymore. Content on the internet cannot be trusted by default.

  12. Joe
    Alert

    Re: Only a problem on Windows Safari

    Actually, I think that warning only applies to certain types of files (executables, plus PHP scrips and others), not all files. So the problem does exist on Safari for Mac.

    Surely a simple dialogue box saying "Download this file? Cancel/Continue" wouldn't be hard to do?

    Final point - I'm sure Safari for Mac defaults to downloading to the Desktop, too (there is no default Downloads folder that I'm aware of!)

  13. David Webb
    Gates Halo

    Re: Re: Only a problem on Windows Safari

    When IE downloads a file from the internet it becomes marked as "potentially unsafe", even files from trusted sources (like microsoft.com) will be marked as such, any attempt to open said file will result in a "make sure you trust the source, are you sure you want to run this file?".

    If you really trust it you can unlock the file in Properties.

    Safari is terrible. We <3 Microsoft /coff

  14. kain preacher

    Not a security issue

    Translation that's what you get for having a PC , now get mac.

    Or how about this hey its not hurting macs so no problem.

    Hmm lets create some thing to break all PC's :)

  15. Anonymous Coward
    Stop

    Simple

    Avoid Apple products on your Windows box. Bloated crap.

  16. Steven Raith
    Stop

    Holy shit

    "Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads," someone from Apple's security team told Dhanjani. "We want to set your expectations that this could take quite a while, if it ever gets incorporated."

    I have no idea what this person has been smoking, but if it can make me that laid back about a pretty fundamental security risk [to the average user who isn't interested in the gubbins - arguably Apples main user base] then I'll have some of that for work, so that I don't have to give two hoots about my AV, firewall and general systems security solutions.

    I've said on here before that I'm not a particular OS fanboy of any ilk, but that really does just smack of utter idiocy.

    Steven "isn't a security consultant but knows a major vuln when he sees one" Raith

  17. Michael

    Yes Virginia there IS a Downloads folder

    Joe,

    I know you are "sure Safari for Mac defaults to downloading to the Desktop, too (there is no default Downloads folder that I'm aware of!)" but you might want to double check that.

    There is in fact a Downloads folder, it's in the current users home directory and is the default directory for Safari downloads. This was added in Mac OS X 10.5 (Leopard).

  18. heystoopid
    Coat

    So funny

    So funny !

    So will this put a final end from the one in twenty minority company of those very stupid and illogical Mac versus PC crummy adds we see ?

    I'll put on my mini dragon flame proof coat !

  19. Ivan Headache

    @Yes Virginia there IS a Downloads folder

    Safari also always opens a window and tells you that it's downloading something, what it is and gives you a cancel button. If the file is an application of some sort, the OS warns you that you are opening file that has been downloaded, asks you if you want to see the source of the file and do you feel safe opening it. You can say yes or no in the appropriate places. This happens regardless of where the file has been put. Therefore, on the Mac at least, as the Apple spokesman says... what are you worrying about.

    I think it would be blatantly obvious to a Mac user that "carpet bombing" was taking place as the download window would constantly keep popping up over the browser page. Now when was the last time I saw that happening?, When was the last time I saw my download folder full of funny files I hadn't asked for? No, can't remember

    It seems so many are so quick to rubbish Macs when someone says something MIGHT happen. If all these thing happened do you really think people would still be buying Macs? (and in ever increasing numbers). And the recent competition where the MacBook Air was famously "owned" - it was only owned because the operator let it be. If he hadn't clicked on whatever it was, the machine would still be on the stand.

    When (or if) it actually happens, and someone gets a virus or trojan into my mac without me knowing I will be the first to raise my hand and say "OK, you got me". But it's 15 years now and counting.

  20. Will
    Coat

    New Mac Commercial

    Picture this:

    Mac: Hey, PC, what's wrong? Why are you so big and slow?

    PC: I've loaded safari and a major security bug has allowed a bad website to crash me....

    Mac:.....

    Mine is the one with the apple sauce stain.....

  21. ImaGnuber

    Well, yeah.

    "If all these thing happened do you really think people would still be buying Macs? "

    Try substituting the word 'Microsoft' for the word Mac and I think the weakness of your point becomes obvious. Years of publicity about vulnerabilities hasn't had much effect on the attitude of the average user wrt m'soft products so why would you think the average Mac user would give a hoot - or, as with Windows, even notice? Do you really think you're all that special?

  22. ImaGnuber

    Intended for

    I hope it was obvious that my last comment was to Ivan Headache.

  23. Henry Wertz Gold badge

    @"Where's a mac fan boy when you need one! "

    @"Where's a mac fan boy when you need one! "

    Right there ---^ saying "Oh I haven't personally seen this attack so it's no problem" and saying it's just a slam on Macs, even though it's not even a platform-specific bug.

    Ivan, at the pwn2own contest, the machine wasn't pwned because the owner "let" it be.. the machine was pwned simply by the user clicking on a web link.

  24. Michael Greenhill
    Stop

    @ Ivan Headache

    "And the recent competition where the MacBook Air was famously "owned" - it was only owned because the operator let it be. If he hadn't clicked on whatever it was, the machine would still be on the stand"

    So you operate under the assumption that PC/Mac users _know_ what they're doing? The overwhelming majority of computer users don't know squat the implications of clicking "Yes" to an unknown dialogue box.

    So, to be fair the MacBook was won fairly, as in the real-world someone somewhere would've allowed that action to happen - ergo, security issue.

    But that's beside the point, though. Safari looks like bollocks, especially on Windows, and does exactly the same things as the other leading browsers, but without the fugly-ness. Hell, I own several Macs and I don't even use it.

  25. Jim

    Safari is a steaming pile...

    Seriously, when are they going to change the default option that automatically opens 'safe' (ie. all) files after download? That is another glaring security issue waiting to be fixed.

    That is of course ignoring the fact that Safari seems the least capable when it comes to rendering pages. If Firefox and Opera are having problems then I may give Safari a chance but that is about all it gets used for on my machine.

    I guess the only saving grace is that it isn't heavily tied in to the OS (yet...)

  26. Rick Damiani

    Safari sucks on the Mac, too

    "You mean, this browser downloads anything without asking?"

    It downloads everything without asking. Makes it very annoying to use, which is why I've got Firefox on my iMac.

  27. Anonymous Coward
    Alert

    Apple s/w on a PC

    Stay well away....

  28. Anonymous Coward
    Coat

    Safari stands for...

    So... the browser is named as "Safari" because it is about hunting big, dangerous applications in the wilderness of the Internets?

    Mine's zebra-striped, thank you!

  29. Anonymous Coward
    Anonymous Coward

    booby trapped my computer?

    Hang on, doesn't windows execute autorun.inf and things in desktop.ini when a folder is loaded?

    Why booby trap an icon? Why bother, microsoft give you tonnes of ways of fucking with people.

  30. Anonymous Coward
    Jobs Horns

    Apple

    Of course it's not a security issue. If they admited it was, they they would have to admit that Macs aren't as secure as the fanbouys like to make out, therefore losing one of the main reasons people buy them.

    But then again, do we expect any less from Jobs?

  31. Steve Roper
    Jobs Halo

    Where's Webster?

    He would have an absolute field day with this; I hope he sees it so we can be entertained by the next episode of his epic rantings!

    I have Safari on our test PC at work, along with every other major browser, for dev-checking our websites on. I don't think much of its user interface, but its rendering engine is nice; it renders text more smoothly and cleanly even than FF and Opera.

    But built-in facilities for drive-by downloads AND Apple have openly stated they don't give a toss *AND* they push it on people with QT/iTunes upgrades? Jeeze, and I thought Microsoft was bad...

    The Jobs halo because everything means the opposite of what it says these days!

  32. Kieron McCann
    Linux

    I'm so smug

    Ah yes, I'm all smug and laughing because I installed Linux 6 months ago. It's brilliantly secure and now my PC makes an attractive piece of living room furniture, mainly because I can't get any decently entertaining software that ordinary home users want to use. That's okay though, because I prefer to keep the curtains drawn, smoke reefer and never bathe.

  33. Anonymous Coward
    Paris Hilton

    Potential for abuse?

    Does this mean "dodgy" websites could download pictures (such as ones that the government is currently passing vague laws about) to your machine without your knowledge and then it automatically send an email with your IP&date/time to the police? Entrapment? Could be used for blackmail? It is extreme and quite probably OTT I will grant but as it is possible it is a concern.

    Obviously you have to go to the website yourself, but there are ways to mask dodgy URLs. I guess the difference is that if the picture goes into your cache you have some plausible explanation I suspect (ads, etc, isn't the source URL stored? Can't remember) however when it is actually a file on your desktop? Much harder to explain when the Police come knocking.

    Paris... because she doesn't allow people to automatically download her.

  34. Anonymous Coward
    Anonymous Coward

    Re: Anonymouse Coward

    No, Windows does not autorun the autorun.ini files on folders, only on the root of drivers. And in Windows Vista, it does not run it automatically - it prompts the user for what they want to do.

  35. Not That Andrew
    Joke

    @ Kieron

    >That's okay though, because I prefer to keep the curtains drawn,

    >smoke reefer and never bathe.

    I'll have you know I draw the curtains! Occasionally.

  36. Paul

    This would not bug me...

    except for the fact that iTunes keeps bugging me to download Safari...

    The first time it was ok. I said no, and it went away, now it is realy anoying. On day I will be playing a game after a few beers, click any button just to get rid of the box, and it will download, and I will have this vuln on my PC.

  37. Steven
    Thumb Down

    Ha Ha

    OK so Apple sneak a program onto thousands of PC's which allows limitless nasty programs to be downloaded to your machine. Isn't that the definition of a Trojan? But don't worry, the nice people at Apple say that this isn't a security issue...

  38. Ken Hagan Gold badge

    Re: "They should ask *before* downloading."

    ...if only because it costs money.

  39. Tobias Liebhart
    Stop

    Safari is no good

    CAMINO RULES!!!! Best browser experience on Mac!

    BTW All you bashers -> Cant we make a OS-Battlegrounds website where you stupid OS haters can split and crush each others head???

  40. David Webb
    Black Helicopters

    Obvious!

    Having thought long and hard about this for at least 5 seconds (which 5 seconds thinking about an Apple product is 4.9999 seconds too long) I've figured out the reason behind it all!

    Apple downloads their rubbish browser onto Windows computers, disguising it as a "crucial must download else you'll die" update. Lots of Windows users who only use the internet to download porn and email aunty Maude in Zimbabwe unwittingly download the browser because they know "update = must do" because its been drilled into them "KEEP ALL YOUR SOFTWARE UPDATED TO AVOID TROUBLE!!!!!".

    Safari takes over and unwitting user know has a major security issue with their computer, it gets taken over by trojans, malware, spyware etc. Who do they blame? Safari? No, Microsoft, they blame MS for the problem caused by Apple. Fed up with the "insecure Microsoft OS" they go to PC World and say "I'm fed up now, what else can I use other than a PC to download porn?" Helpful PC World drone says "A Mac?".

    Mac sales go up because Apple have poisoned Windows by putting their own timebomb on it. Its a conspiracy!

  41. Anonymous Coward
    Anonymous Coward

    Does anyone actually use Safari?

    As a Mac owner does anyone actually use Safari ? I opted for a Mac at home after getting frustrated with Vista - but could see after 30 seconds use Safari was a PoS. I promptly directed it to Mozilla and downloaded Firefox, and I've not used Safari since.

    The "pimping" of Safari bundled with iTunes was out-of-order, but all too similar to Microsoft "enforcing" MSIE on every Windows PC in the land. Neither Safari or MSIE are "fit for purpose" in my opinion.

    Just because Safari is an Apple product does not mean all Apple users=idiots. The thing is Unix based at the core, with a flashy front end. Most Apple user's I've spoken to use the same open source apps as Linux users!

  42. Dave

    @MS haters

    I constantly see people bashing MS for having IE installed by default, even though you can download Firefox day 1 and never have to use IE again.

    I have one question for you, what the hell do expect users who have bought a windows pc to use to get onto the internet? Calculator? MS should install FF/Opera/Safari but not their own browser on new Windows PC's?

    Safari by default is much much worse IMO

    Imagine it in other walks of life, "Yes, sir......here are the keys to your shiny new Jaguar ...... though we have to let you know that some Tard complained to the EU regarding monopoly and we had to put a Perodua engine in it"

    Yes IE was a POS but at least they have started listening and improving the bloody thing. Who knows what IE8 will be like but I will be willing to give it a go just to see. MS install a suite of basic apps to get you going on your shiny new box, just like Apple do, just like all the different flavours of Linux do.

    Next you will be demanding that MS shouldnt be pimping their file system and Kernel on windows users.

  43. Anonymous Coward
    Anonymous Coward

    @By Horness

    Does anyone actually use Safari?

    Yes because I get complaints from mac fan boys at work that our customer portal does not work right with safari. It works in IE ,FF and opera .I tell em it wont work in safari and they have a fit

  44. Walter Brown
    Gates Halo

    This is great

    Apple pushes a product on to windows boxes, a product windows users obviously didnt want or they would have installed it themselves, using unscrupulous tactics, this product contains a serious bug that would allow any webmaster, hacker or spyware / adware pimp to download any files they wanted to the computer, and Apple says we're not concerned about this, its not a problem for us.

    come on Microsoft, we need a counter commercial to Apples "i'm a mac, i'm a pc" tv ads, showing how Apple infects windows computers. getting the same actors to play the roles would be even better!

  45. crayon
    Paris Hilton

    @Ask before you download

    "Even Firefox, that has its annoying "download all to Desktop" 'feature' by default, "

    Probably to make life easier for dumb lusers, or the people who have to provide support to them.

    I provide tech support over the phone to family & friends and often I have to tell to download this and install that. Before they download I specifically tell them to remember WHERE they are saving the file - 9 times out of 10 right after the download they say they can't find the flipping file.

This topic is closed for new posts.

Other stories you might like