Why Apple must fix Safari 'carpet bombing' flaw immediately

Summary:Apple makes a big deal -- and lots of funny commercials -- around the security profile of its products.  On the Safari download site,  the boast is that users get "worry-free Web browsing on any computer" because, in Cupertino's words, "Apple engineers designed Safari to be secure from day one.

Why Apple absolutely must fix Safari ‘carpet bombing’ flaw
Apple makes a big deal -- and lots of funny commercials -- around the security profile of its products.  On the Safari download site,  the boast is that users get "worry-free Web browsing on any computer" because, in Cupertino's words, "Apple engineers designed Safari to be secure from day one."

The company has done a nice job of adding exploit prevention mechanisms (ALSR and NX on Vista) to some of its Internet-facing products but when it comes to responding to legitimate security threats, Apple is light years away from living up to the messages in those commercials.

The Safari "carpet bombing" vulnerability is one current example of Apple really missing the boat about a serious issue affecting its customers.

Some quick background: Researcher Nitesh Dhanjani responsibly reports to Apple than it is possible for a malicious Web site to litter the user's Desktop (Windows) or Downloads directory (~/Downloads/ in OSX) with executables masquerading as legitimate icons.

[ SEE: Apple under pressure to fix Safari ‘carpet bomb’ flaw ]

This happens because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource. Safari downloads the resource without the user's consent and places it in a default location (unless changed).

Imagine using Safari on Windows to browse to a booby-trapped Web site and this happens to your desktop:

Why Apple must fix Safari ‘carpet bombing’ flaw immediately

Now, think through the ramifications.  Dan Kaminsky, via Twitter, puts it best:

Standard user rights are required to write to desktop. You know what else standard user gets to do? RUN CODE.

And another tweet from a clearly frustrated Kaminsky:

Adobe wouldn't call arbitrary desktop write not a problem. Sun wouldn't. HP wouldn't. Mozilla wouldn't. Apple is not special.

Arbitrary desktop write is a serious security vulnerability. It's not a mere irritant, as Apple contends.  This is a security flaw that needs to be fixed immediately instead of an enhancement request to come in a future upgrade.

As Robert Hensing explains, what happens when malicious hackers figure out that the "carpet bombing" bug could be chained to another vulnerability to do some serious damage?

Think about it:  A combo-attack where Dhanjani's Safari vulnerability is used to drop a nasty executable on your desktop and another (known or unknown) vulnerability used to run it.   Instant drive-by malware installation!

With this Safari flaw, the bad guys are 50% of the way to direct code execution of whatever binary they chose to run . . . all they have to do is find a way to get that dropped binary to run.  Will it happen?  Time will tell I suppose . . . seems rather risky to leave this vulnerability out there when it seems like it would probably be a rather easy fix.

Secure from day one?  Impossible.  Now, Apple, do something about it.

Meanwhile, if you use Safari on Windows, I have one piece of advice:  Don't.

Topics: Hardware, Apple, Operating Systems, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.