Apple under pressure to fix Safari 'carpet bomb' flaw

Summary:The Google-backed StopBadware.org coalition has called on Apple to rethink its stance on whether the Safari "carpet bomb" issue reported by Nitesh Dhanjani constitutes a serious security risk.

Apple under pressure to fix Safari ‘carpet bombing’ flaw
The Google-backed StopBadware.org coalition has called on Apple to rethink its stance on whether the Safari "carpet bomb" issue reported by Nitesh Dhanjani constitutes a serious security risk.

Dhanjani originally discovered than it is possible for a booby-trapped Web site to litter the user's Desktop (Windows) or Downloads directory (~/Downloads/ in OSX) with executables masquerading as legitimate icons.

"This can happen because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource. Safari downloads the resource without the user's consent and places it in a default location (unless changed)," Dhanjani said, warning that it could be used as a drive-by malware distribution mechanism.

[ See Nate's post for background ]

Apple has classified Dhanjani's findings as more of an annoyance than a security risk that requires an immediate patch.

In the eyes of Apple's security team,  the user (target) would have to be complicit in an attack that causes a sufficiently high number of files to be downloaded.  "It presents a risk of annoyance, at worst, [and] can be easily stopped by closing the browser."

A source tells me that Apple will fix the issue in Safari 3.2, which is slated for release in the summer (September) this year.

However, StopBadware.org, a non-profit managed by Harvard Law School's Berkman Center for Internet & Society and Oxford University's Oxford Internet Institute, wants Apple to create and distribute a fix to protect end users.

StopBadware.org researcher Laureli Mallek writes:

StopBadware.org believes that users should have control over software being downloaded to their computers, and we encourage Apple to reconsider its stance and treat this as the security issue that it is.

The good news is that Apple will fix Safari's handling of these types of issues as an enhancement for a future release. However, if we start seeing in-the-wild exploits using carpet-bombed desktop icons to trick users into installing malilcious executables, then Apple's delay will be hard to justify.

In the meantime, Safari users -- and all Web surfers -- should always very careful about clicking on untrusted links that arrive via e-mail or instant messaging communications.

* Photo credit: aditza121's Flickr photostream (Creative Commons 2.0).

Topics: Collaboration, Apple, Browser, Operating Systems, Security, Social Enterprise

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.