About-face: Apple patches Safari 'carpet bombing' bug

About-face: Apple patches Safari 'carpet bombing' bug

Summary: In what amounts to a major about-face, Apple has patched the Safari "carpet bombing" vulnerability that led to a Safari-to-Internet Explorer remote code execution combo threat.After insisting for weeks that the issue is more of an irritant than a security risk, Apple today released Safari v3.


About-face: Apple patches Safari 'carpet bombing' bugIn what amounts to a major about-face, Apple has patched the Safari "carpet bombing" vulnerability that led to a Safari-to-Internet Explorer remote code execution combo threat.

After insisting for weeks that the issue is more of an irritant than a security risk, Apple today released Safari v3.1.2 for Windows with a patch warning that saving untrusted files to the Windows desktop may lead to the "execution of arbitrary code."

[ SEE: Apple under pressure to fix Safari flaw ]

From Apple's advisory:

An issue exists in how the Windows desktop handles executables. Saving an untrusted file to the Windows desktop may trigger the issue, and lead to the execution of arbitrary code. Web browsers are a means by which files may be saved to the desktop. To help mitigate this issue, the Safari browser has been updated to prompt the user prior to saving a download file. Also, the default download location is changed to the user's Downloads folder on Windows Vista, and to the user's Documents folder on Windows XP. This issue does not exist on systems running Mac OS X.

The bulletin cites Microsoft's security advisory on the combo-threat discovered by researcher Aviv Raff.

Safari v3.1.2 for Windows, available for Windows XP and Vista, also fixes at least three additional vulnerabilities that could lead to  information disclosure and code execution attacks.

One of the other three bugs also describes a combo threat that goes the other way --  Internet Explorer to Safari:

Visiting a malicious website which is in a trusted Internet Explorer zone may lead to the automatic execution of arbitrary code Description:  If a website is in an Internet Explorer 7 zone with the "Launching applications and unsafe files" setting set to "Enable", or if a website is in the Internet Explorer 6 "Local intranet" or "Trusted sites" zone, Safari will automatically launch executable files that are downloaded from the site. This update addresses the issue by not automatically launching downloaded executable files, and by prompting the user before downloading a file if the "always prompt" setting is enabled.

The IE-to-Safari threat was reported by Will Dormann of CERT/CC .

 [ SEE: Why Apple must fix Safari ‘carpet bombing’ flaw immediately ]

The browser refresh also plugs a memory corruption issue in WebKit's handling of JavaScript arrays. "Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution," Apple warned.

The fourth vulnerability is an out-of-bounds memory read that may occur in the handling of BMP and GIF images.

Topics: Browser, Apple, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • for PC

    Feels like Apple has to worry much more for Safari on PC. So much security problems which the operating system doesn't process.

    Hope they can keep up.
    • for PC

      Let's all complain about Apple and security risks! But hey it's no big deal that we all get bombarded with weekly High-Priority security updates from M$. What's up with that?
  • RE: About-face: Apple patches Safari 'carpet bombing' bug

    There's no link to the Apple advisory
    • Link to Apple's advisory.

      Here is the link to Apple's advisory:


      I have added it to the story. Sorry about that.

      Ryan Naraine
  • Translation

    It was an annoying non-issue until people found out that
    Windows had a security flaw in processing executable files
    without a user's permission. So, because Windows has a flaw,
    Apple is going to go ahead and fix the bug.

    Except, of course, that it's all Apple's fault.
    • Exactly

      It's their code.
      Confused by religion
      • The Windows flaw isn't Apples code,

        and that flaw is still there... is it not?
        A Grain of Salt
        • Correction. "Apple's code," (NT)

          A Grain of Salt
        • yes, correct, the IE flaw is still exploitable through other access points

          this flaw exists through other programs as well and is a combination flaw where the first application, in this case safari, allows you to access a real flaw, in this case the IE7 code execution.

          the safari code isn't the execution flaw, it just doesn't prevent the flaw from being accesses. When apple closes this door people will have to take one of the other known routes to use this same flaw of IE's.

          so patching this is a good idea.
          it does not take care of the original problem.

          this is not an "Apple" problem as this article suggests sensationally, but a problem on the windows platform that has several access vectors. Apple is just patching the safari access vector to remove themselves from the problem situation.
        • isn't Apples code,

          Exactly, Apple has to work around Windows security flaw's that Microsoft seems unable to fix them selves!
        • No, the flaw is in Apple's program

          First, Safari's programmers failed to understand how Window's desktop is used. The main purpose of the Window's desktop is to launch or start applications much like the Unix shells. They also failed to understand that any file marked as exe that has right header info can be executed from the desktop. The same can happen under Linux/Unix when a file's permissions are set to executable.

          Second, Safari chose to assume that user visiting a website would automatically want to download files from that site. That was a bad programming decision when it comes to security.

          Third, Safari also assumed that when third party (in this case IE) app has decided that certain sites are safe then those sites must be safe. Good programming practices dictate that all data received from outside the program should be considered hostile until proven otherwise. So, the flaw was in Safari not verifying with the user whether or not they wanted to download content from this site even if IE reported the site as safe. As to why IE would report the site as safe when it contained malicious code is another issue that is outside of Safari's responsability. It could have been because of a security flaw in IE or it could have been because the user decided to declare the site safe, but it's irrelevant to whether or not a vulnerability existed in Safari.
    • Just because there's a flaw in Win

      Doesn't mean there isn't one in Safari.

      Yay for Apple for finally fixing their bug, even if they only did it after people complained.
      • Just because there's a flaw in Win

        Maybe yes maybe no, Safari could be have perfect flawless code but will still have a problem with windows flaws. Therefore Apple must add more code to work around windows short commings.
        • What are you talking about?

          We're talking about a specific flaw here, not some sort of imaginary flaw that has no bearing on anything.
  • MS Fanboi Journalism

    Apple has shown corporate responsibility in changing their
    program so that it can not be used to take advantage of a
    Microsoft vulnerability. Where's the shock and outrage that
    Microsoft allowed the vulnerability in the first place?
    Perhaps journalists and users are simply used to ongoing,
    perpetual problems with MS and are suffering from
    Stockholm Syndrome. Or, in this case, maybe the author
    has a significant conflict of interest in that he works for a
    security company whose viability depends primarily upon
    the continuity of the dangerous MS ecosystem.

    Apple has corrected their software so that it cannot be
    used to take advantage of a long term vulnerability in MS's
    operating system. Now its time for MS to finally get off
    their ass and fix this one too. Rest assured it will
    eventually happen on a Tuesday...
    • Apple Fanboi Journalist(wannabe)

      Its the typical naive Apple fanboy that wants to believe that Apple has no security threats and doesn't need to be re-active or pro-active against them. I don't care what software you run, in most cases there is an exploit on it somewhere and someone could possibly find it. This includes Apple, Linux, and a host of many more as well, I do know that Apple patches Apple products and the OS on Apple machines, so where is Microsoft when it comes to that, its all proprietary Apple software. I don't condone security bugs in any software, but to say yours is immune is a waste of a post in my view. Take a look at Apples patch count this year, you may be shocked and rethink your statements.
      • Nobody's saying Apple is immune

        ... but Apple is clearly not used to having to frequently and
        abruptly release fixes for buggy software, like Microsoft

        This story is angled to paint Apple in a bad light, and while
        the facts are there, I think it is a tad sensationalistic.
        • Aww, give Apple a break

          they're [i]"not used to having to frequently and abruptly release fixes for buggy software"[/i]

          So you give they a break for their incompetence, even though they've been in business the same amount of time that MS has?

          So I guess it's OK that a new QuickSwissCheesetime bug is discovered every other day.
      • Apple Fanboi Journalist(wannabe)

        Ah there ya go daMan, perfect resonse from a Windows Fanboi! Apple cannot patch Windows nor any one else since M$ ain't coughing up code!
  • I thought this was a new feature from Apple

    I was under the impression that this was how apple intended the software to work