Microsoft urges Windows users to shun 'carpet bombing' Safari Microsoft's security team is advising users to stop using Apple's Safari browser pending investigation into a quirk that allows miscreants to litter their desktop with hundreds of executable files. Windows users who visit a booby-trapped site with Safari could be forced to download and execute malicious files with no prompting …
... its got to be!
Everyone knows Apple doesn't produce buggy software with security holes. Praise the mighty Jobs and his Mactards.
Big inaccuracy in the software Safari is far from mainstream in its use, but it was snuck onto millions of computers by deceptive stealth! Most people still believe Safari is a trip to Africa where you see lions and tigers and elephants.
I'm in the uncomfortable position of agreeing with Microsoft on this issue. If a browser (any browser) allows a website to randomly download files without the user's explicit permission, regardless of the location, it is a security issue in my opinion. Having said that, I take issue with Microsoft's security advisory. The only thing they say is:
"What causes this threat?
A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user’s machine without prompting, allowing them to be executed."
OK, but how about telling us the how or why? Since it is a direct contributor which causes the blended threat, I don't think it's asking too much to want to know exactly "how the Windows desktop handles executables" and how that contributes to the threat.
"And before any Mac users decide this is an issue they can safely ignore, remember this: While Microsoft's recommendation obviously is limited to Windows users, Dhanjani says the carpet bombing scenario can play out on OS X, too."
After downloading, it ask YOU if you want to open or load it. Being a Mac user, I'll safely ignore it - meaning read the little pop-up and reject it.
It's funny how the same browser does not have the same problems on OSX and the more complete Konqueror does not do the same on GNU/Linux systems. Same code, different OS, where could the problem be?! Thanks for the FUD, M$, but security is not your strong point. The more of these problems they point out, the faster users will run for the exits.
That's right AC, blame M$. So what you're saying is that Steve Jobs put this in on purpose, so that more people would migrate from Windows to Macs? Sorry, not going to happen.
I love Bill Gates, being an IT guy he's given me a nice standard of living - not sure I'd get the same from Macs.
Blatantly anti i...anything.
Read the article. This exploit works on Safari OSX as well.
Granted, on OSX any executable downloaded this way will be marked with an attribute which will warn you before letting you execute it... but Windows supports such a flag too. Safari just doesn't set it in Windows. No, this is Apple's fault.
Safari is the least secure browser in common usage in the world (see: Pwn2Own competition). Apple clearly doesn't take security seriously, what with outright ignoring threats like this, and suing other security researchers. Granted MS and others used to do that too, a long time ago, but they, and most observers, learned from the mistakes of that era.
It's funny how the same browser does not have the same problems on OSX and the more complete Konqueror does not do the same on GNU/Linux systems. Same code, different OS, where could the problem be?! Thanks for the FUD, M$, but security is not your strong point. The more of these problems they point out, the faster users will run for the exits.
really then how come IE and fire fox asks ??
I guess it's time for a tar&feathers facial job* to be applied to mr.jobsie-jobs.
It should prevent him from filling the world with cute, wiggly, big-and-watery-eyes crapware.
* think of it like some sort of martha-stewart-job applied to the king of metrosexuals.
If an independent source proves this vulnerability is the case then we need to take notice. As much as I dislike M$ not everything is FUD. Trouble now is that we've had to deal with so much &#%$ FUD that the situation is primed for a disaster if this one just happens to be for real. Better to be safe than sorry.
MS is doing the right thing (although I wouldn't doubt with a small degree of pleasure in this instance).
AC I don't agree that it's MS's fault because the vuln isn't present on other platforms. It's for the application developers to ensure compatibility and security for their app and how it interacts with the OS and clearly here they missed the mark.
"And before any Mac users decide this is an issue they can safely ignore, remember this: While Microsoft's recommendation obviously is limited to Windows users, Dhanjani says the carpet bombing scenario can play out on OS X, too."
Its odd but by browser is showing that bit of text at the end of the story. I'm running IE, so it would seem that your non MS browser is either not able to display it or you're too bust frothing at the mouth to read the whole article!
It downloads something onto your computer whether you want it or not, but asks your permission before opeining the file? So that's all right then.
(Yes I have used Macs. No; I wouldn't use Safari on a Mac either. I have this strange unexplainable distrust of any web browser knitted into the operating system)
"It's funny how the same browser does not have the same problems on OSX"
Did you actually read the article? Specifically, this bit;
"And before any Mac users decide this is an issue they can safely ignore, remember this: While Microsoft's recommendation obviously is limited to Windows users, Dhanjani says the carpet bombing scenario can play out on OS X, too."
Blame Microsoft for a problem with Apple??! How is it a Microsoft problem?
Apple wrote Safari no matter which OS it is on. Apple set it to automatically download. Apple apparently can't be bothered to fix the security hole.
I'm not a big fan of Microsoft, but I really can't see how they be blamed (this time)
This wouldn't have been so bad, had most of the users that has safari installed on their windows machines actually CHOSEN to install it, instead of it being stealth-installed (same way iTunes gets installed if you are stupid enough to install QT!)
In this case Apple should be rightfully flamed.
//Svein
Anonymous Moron, more like.
How is it anyone's fault but Apple's if their web browser allows exe files (or any files for that matter) to be downloaded to the local disk without so much as a prompt? Allowing a site to drop one exe file on to a machine is a mistake since people may later think it's something else and run it. It also lets sites do this as many times as they want (the "carpet bombing" described in the article) which would certainly create a nuisance. I don't see how on earth you can blame Microsoft for that.
What are are Microsoft supposed to do, add extra prompts at the OS level whenever programs written by Apple's awful Windows software team attempt to write to the filesystem? (Actually, that might be a good idea. I just discovered that iTunes left every 50MB iPod firmware update I've ever downloaded in my *roaming* profile. Apple should be banned from writing Windows software at this point, with their track record, and I haven't even begun to describe the problems with Quicktime and iTunes.)
And did you not read the last paragraph of the article which says the issue affects OS X as well? "Dhanjani says the carpet bombing scenario can play out on OS X, too."
Finally, please, for the funking love of god, stop it with the overused and unorigianl "M$" cliche. It's soooo original. It makes you look sooooo clever and cool.
Ohh, a troll who did not read the last few lines before posting "Crimosoft Bad, OSX Good", unless he committed an ID 10 T error.
"And before any Mac users decide this is an issue they can safely ignore, remember this: While Microsoft's recommendation obviously is limited to Windows users, Dhanjani says the carpet bombing scenario can play out on OS X, too."
Since when have Apple EVER written software for Windows that does along with documented best pratice? Have you seen the Bonjour service? The one Apple call "##Id_String2.6844F930_1628_4223_B5CC_5BB94B879762##" and you don't even know it's installed with no description or uninstaller? What about the iTunes interface? Not to useful bit, but the disregard to use the currently set Windows theme.
The fact that Safari doesn't use security measures that Windows provides to secure a desktop should come as no suprise when refering to Apple "developers".
Safari had a problem like this on the Mac too.
If the file extension was one of the ones Safari would normally download without asking the file would be downloaded even if the file type specified in the file (this is seperate from the extension on OSX) meant it was executable. When Safari then tried to open the file the OS would do what the type was, not the extension. This meant a file with a .mov extension could actually be an executable.
That took some time to be fixed too if I recall.
I agree with MS here. No browser should ever download anything without my permission - if I want it I will ask for it, otherwise I don't want it.
This post has been deleted by its author
This post has been deleted by its author
Firstly, OSX doesn't tend to run the often malware infested .exe files. So having one or 1,000,000,000 of them on your desktop isn't an issue. Even if such a file could be run on the poor thing, it's not likely to be able to do much damage.
Secondly.. Have you ever seen an OSX users desktop? They seem to stick every single file they come across on the desktop! Literally thousands apon thousands of files. All their music, all their apps and associated files, all their videos, all their pictures, all their porn, all their documents. Not in individual folders, no. All of it on the desktop!
Every single Mac desktop I've seen has been like this.
So it wouldn't matter if they get hit by this bug, because they won't have a hope of noticing a few extra thousands files on their desktops!
So yes, Mac users are perfectly safe from this threat.
Derek -- You clearly have not had the required minimum exposure to Monty Python. Please refrain from visiting tech sites until you have spent at least 96 hours (preferably in a row) absorbing their work. Their treatise on tigers in Africa is an absolute necessity in the modern world of IT. You may also find the BBC's seminal 4-volume treatise on the history of the Black Adder and the collected works of Dougals Adams greatly enrich your experience of the Register and sites like it.
It's a minor issue compared to a number of others that ALL browsers on Windows have. If Microsoft is serious about security then they need to:
1. Immediately transition away from ActiveX, with as short a timeframe as possible.
2. Replace ShellExecute() with something similar to UNIX's exec(). They already HAVE the code, in the POSIX subsystem.
3. Eliminate "security zones" as a security model - there must be no circumstance in which the location of an object named in a web page automatically grants it privileges.
4. Provide an alternate API for browsers to use to find and run helper applications that is not based on the desktop helper application bindings.
All four of these are far bigger problems than having files downloaded without a prompt. Not only do they all provide paths to direct execution of untrusted code without user interaction, but they have all BEEN used for that purpose hundreds of times over the past decade.
I am not sure it's possible to implement a really secure browser on Windows without completely bypassing all of Microsoft's recommended APIs.
"After downloading, it ask YOU if you want to open or load it. Being a Mac user, I'll safely ignore it - meaning read the little pop-up and reject it."
The only problem is, that most people aren't that clever. If your browser asks those questions for every file downloaded (remember the "carpet bombing" reference in the article?), then eventually, less experienced users will be coaxed into clicking "yes, I want to execute this file!" in a desperate attempt of making the question go away.
It's a little pointless to criticise Microsoft for releasing a security advisory when they are correct. That they wouldn't release a security advisory detailing the bugs in various other commercial products that run on Windows, a well-known PDF-reader for example, just shows that they're taking the opportunity to get a dig in at a rival too, something Steve Jobs can't really complain about as he's done it himself countless times.
It would be nice btw, to see just one Apple-related post where all people who can't afford a Mac didn't take the opportunity to vent their bitterness over the fact. I am a long-standing (14-years) Linux user, and a more recent Mac user (2 years), but I don't see the need to flame Windows users every chance I get.
Flame because I'm sure I will be.
Sounds to me like both MS and Apple are guilty of a design philosophy that has tiresomely demonstrated, over and over, its capacity to fubar almost any machine. To wit, doing the user favors he didn't ask for. We might call this the "oh you poor dear, here, let me give you a hand" philosophy. An everyday example is the Boy Scout who forcibly drags an old lady across the street when all she was doing was checking out the shirtless dudes on the construction site there.
Specific admonishments:
Don't auto-download anything unless the browser is going to render it.
Don't execute anything without the user explicitly asking for execution.
Don't install software on the sly. [This one is mere sneakiness, not a bumptious attempt to make your machine "user friendly."]
Don't design your systems for the clueless. The clueless are cluelesser than you can possibly imagine, so the only viable strategy is to assume a reasonable level of intelligence. [See footnote]
Don't, ever, *guess* anything. When you guess, no matter how clever you are, you *will* guess wrong a considerable amount of the time.
Don't, ever, try to guess what the user meant when he input wrong data. If it's wrong, it's wrong, just beep and say "error", and if Joe & Josephine Drooler-Sixpack don't understand, well, tough. As regards the internet in particular, it wasn't designed for idiots, it's not idiot proof, and don't try to fake idiot-proofness.
I leave it as a class exercise to determine which company, Apple or MS, is more often guilty of this class of design error.
I remember the good old days of Windows 3.1, that (iirc) didn't do you any favors at all. Ubuntu Linux also seems to be free of this mistaken idea.
IT? icon because it's simply good manners to refrain from imposing unasked-for favors on others, not just an IT issue. They don't appreciate it, and doing so implies you think you know someone else's business (or how they want to lead their life) better than they do—an extremely patronizing attitude. Miss Manners (tm) will back me up on this.
Footnote: since half the population has an IQ 100 or below, by definition, where does that leave us?
There must be a dozen people all shouting "Safari on OSX downloads files too" but I've never heard an OSX user complain about it. What's really funny though is that M$ is admitting an all too common remote execution problem Windoze has will wreck your machine. An OS that allows people to remotely execute code has more serious issues than brain dead dialogs.
When I tried a booby trapped page with Konqueror, I got a "save this to disk" dialog from KDE. On Windoze, that dialog would come from the OS, so there's not much Apple can do about it. I'd say this was intentional sabotage followed by FUD, a typical M$ action. Sorry fanboys, M$ has zero credibility and everyone is better off without Windows.
I don't understand the rampant fanboyism in these comments... Microsoft admitted it was a flaw in the way it's operating system handles executables, and said that combined with Safari's fantastic idea to dump crap on the user desktop by default there was a security risk.
It's that simple... It's not Microsuck, Crimnosoft, M$ Dross, Appletard, Mactard, iDiots or Hippy-blood-sucking-creative-leeches-who-need-to-get-a-real-job. Pure and simply a shoddy design decision on Safari's part, coupled with a long term mishandling of executables on Windows' side.
Still No reason why a browser should ever be putting unwanted files onto my desktop, and sheer arrogance on Apple's part in thinking it's not an important change to make.
This is rather disingenuous, while Safari on OSX will allow mass downloads the files won't litter your desktop and executables wont be launched automatically, making this problem little more than an unlikely annoyance. Even if by some miracle an executable was launched automatically, OSX issues a prompt the first time an untrusted executable is launched.
I would imagine that UAC in Vista does the same kind of thing, preventing this from becoming even a minor security issue.
Assuming the unexpected happens, cleaning up from a mass download is incredibly easy. Any reasonably computer literate person should be able to remove every file (even if there are millions of them) with a single command from the finder, from the terminal, or from automator.
Windows users should be able to clean up just as easily from the command line so seriously, what's the issue here? Microsofts comments reek of anti-competitive bullshit :(.
Its a directory. It shouldn't be any different from any other directory except that stuff in it gets displayed as icons on the desktop (i.e. the thing that builds the desktop uses the stuff in it as input data).
What they're saying is that they still haven't got out of the habit of believing the file extension...if some random piece of data turns up with the right file extension turns up then they've got to execute it, regardless. RW's rules of the road ("Kettle, Pot Black?") above should be mandatory for any computer but, of course, it will "spoil the user experience" (or should I say "reduce the opportunities our clients have to push stuff at the poor sucker of a consumer"?). He's right, as well. Using Linux for web browsing is really boring. No fuss, no excitement -- you just get web pages.
When a download starts in Safari the 'Downloads' window appears. If you want to prevent a download all you have to do is click.
This would be impractical with a hundred downloads, but so would a hundred prompts. Likewise, approving downloads one at a time isn’t ideal when you want to download a lot of files.
I’d like to see Apple add a delay before the download starts to give users more time to respond. A cancel/prevent all button would also be fun.
In the end all Apple really needs to do is change the default download location and this problem becomes a non-issue. Microsofts claims seem to center around the fact that the files end up on the desktop.
All in all I think this is rather ridiculous in the light that the user is made well aware of the downloads and can easily stop them. This certainly wont stop me from using Safari or Webkit in general on Windows.
On a side-note, there are a number of download managers that take over from Safaris ‘Downloads’ window on OSX. It’s not unreasonable to think this could prevent mass downloads.
From the article:
"Windows users who visit a booby-trapped site with Safari could be forced to download..." (TRUE), "and execute..." (FUD), "malicious files with no prompting..." (TRUE, on windows), "Microsoft says".
Details on the actual vulnerability can be found here:
http://www.dhanjani.com/archives/2008/05/safari_carpet_bomb.html
The best FUD is hidden between two truths.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
