Apple under pressure to fix Safari 'carpet bomb' flaw

Apple under pressure to fix Safari 'carpet bomb' flaw

Summary: The Google-backed coalition has called on Apple to rethink its stance on whether the Safari "carpet bomb" issue reported by Nitesh Dhanjani constitutes a serious security risk.


Apple under pressure to fix Safari ‘carpet bombing’ flawThe Google-backed coalition has called on Apple to rethink its stance on whether the Safari "carpet bomb" issue reported by Nitesh Dhanjani constitutes a serious security risk.

Dhanjani originally discovered than it is possible for a booby-trapped Web site to litter the user's Desktop (Windows) or Downloads directory (~/Downloads/ in OSX) with executables masquerading as legitimate icons.

"This can happen because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource. Safari downloads the resource without the user's consent and places it in a default location (unless changed)," Dhanjani said, warning that it could be used as a drive-by malware distribution mechanism.

[ See Nate's post for background ]

Apple has classified Dhanjani's findings as more of an annoyance than a security risk that requires an immediate patch.

In the eyes of Apple's security team,  the user (target) would have to be complicit in an attack that causes a sufficiently high number of files to be downloaded.  "It presents a risk of annoyance, at worst, [and] can be easily stopped by closing the browser."

A source tells me that Apple will fix the issue in Safari 3.2, which is slated for release in the summer (September) this year.

However,, a non-profit managed by Harvard Law School's Berkman Center for Internet & Society and Oxford University's Oxford Internet Institute, wants Apple to create and distribute a fix to protect end users. researcher Laureli Mallek writes: believes that users should have control over software being downloaded to their computers, and we encourage Apple to reconsider its stance and treat this as the security issue that it is.

The good news is that Apple will fix Safari's handling of these types of issues as an enhancement for a future release. However, if we start seeing in-the-wild exploits using carpet-bombed desktop icons to trick users into installing malilcious executables, then Apple's delay will be hard to justify.

In the meantime, Safari users -- and all Web surfers -- should always very careful about clicking on untrusted links that arrive via e-mail or instant messaging communications.

* Photo credit: aditza121's Flickr photostream (Creative Commons 2.0).

Topics: Collaboration, Apple, Browser, Operating Systems, Security, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The problem with this one is

    It's too easy. Anyone can read the PoC and figure out how to conduct a full blown attack quite simply. If you fit the pieces together, it's directly attackable.

    • Except that

      Most people aren't going to be fooled by it. You hit a web site
      and dozens of icons start appearing all over your desktop? I
      don't think anyone with average intelligence is going to fall for
      that one and click any of those icons.

      The first thing they're going to do is freak out and close the
      browser. Then they'll throw everything in the trash or call their
      family member who does their tech support to find out what

      I have to agree with Apple on this one. It's a dumb design
      decision, but falls under the "we did something stupid that can
      annoy the heck out of people, but we're fixing it."
      • I totally disagree

        Keep in mind, we can throw any image and title on the exe we want. We can make it look like IE, the Recycle Bin, etc. The average user is probably going to be afriad they're deleting a critical system file. Plus, you could just as easily do just one that says "Critical Security Updates Available Click Here" with a Microsoft logo. I think you are giving the average user too much credit.

        • I don't know.....

          Doesn't the user have to give permission via the admin
          password to install anything that downloads? Since the user
          is not looking to install anything for the simple act of visiting
          a web sight and the strange downloading of a bunch of
          whatever should that not prevent this kind of thing?

          Pagan jim
          James Quinn
      • But how likely is it...

        ...that the "average user" will know what's causing the explosion of icons on their desktop and close the browser window?

        And I may be mistaken, but it sounds as if ANY icon can be used for a downloaded file and ANY name/description can be attached to the icons. If I were to set up an attack to exploit this, in my mind it would make sense to not make it obvious what was happening.

        So, I'd keep the number of downloaded files small, and I'd use icons and descriptions that have nothing to do with the rigged website... or the browser for that matter.

        Then it would seem to be just a matter of waiting for the P.T. Barnum effect.
        Hallowed are the Ori
        • Not to mention...

          The average user has their browser at full screen. They can't even see their desktop while surfing, or reading email. So they'll never see the icons appearing.
        • Didn't this happen in other browsers before?

          This is why I can't stand Apple. This is also the way Microsoft is. This is kind of like saying that its not my fault you should not have clicked on the link or have gone to the site. Which they are saying its your fault.This is why I have completely switched to Ubuntu since Vista. "Viva Linux"
      • Come on dude...

        if the user is looking at their browser, you can bet they aren't looking at their desktop. Most "average" users have their desktop so cluttered up to begin with that they wouldn't notice a few extra icons.
      • Oh close the browser?? Thx for the tip!

        In that case it's perfectly OK to distribute shoddy code that starts dumping all sorts of random executables in my computer w/o my consent.

        Thanks for letting me know it's OK for Apple to do whatever the hell they want. They always know what's better for me.
    • Directly Attackable?

      To what end?

      Can you seize control of my computer with admin level
      access without clicking a file? If not, Apple is mostly right -
      you're just pissin' in the wind. The worst that I have read thus
      far is you are going to litter my desktop with files. Big
      freakin' whoop. So exactly where lies the threat, save that
      omnipresent threat to stupid people?
      • Read the above

        What if instead of a littering your desktop, there is just one, and it is called "Critical iTunes Security Patch" or "Critcal Safari Security Patch" with those respective logos, while actually being malware and viruses? While a large percentage of users would realize that this would not be the way a program would put out its updates, there would be a percentage that would run this very legit looking program. I run Firefox instead of Safari so no skin off my nose, but as much as I love Macs I agree that they are pompus asses sometimes.
  • RE: Apple under pressure to fix Safari 'carpet bomb' flaw

    Unfortunately, Apple seems to have this mentality that if they say it's not a security risk, then it isn't. They're a great company, with great products, but their ego seems to get in the way of them doing the right thing much too often... it seems the marketing dept is taking way too much control, which is a long & slippery slope (just ask Microsoft where that leads...).
    • Agreed

      They haven't taken as many lumps as some of the other companies, so they still seem to be fighting security tooth and nail.

      • But why?

        All we hear are self-described "experts" telling us how
        insecure Apple software is, yet you directly counter that in
        one sentence.

        Why isn't Apple taking the hits that Microsoft does? Could
        it just possibly be the truly Apple does have a more secure
        product? At least one must admit there has never been a
        documented "pwnage" of Mac OS X remotely, unlike
        Windows XP or Vista.

        At least be honest and admit the swiss cheese Apple
        started working with when they ported their stuff to
        Windows. A dressed up pig is still a pig, after all.
        • market share.

          Now that they are finally starting to gain a little market share, the lipstick on the pig that is OS X is wearing thin.
          • Not really

            A variety of unusual OS's and even various Linux distros, with
            a much smaller web footprints than Apple have a higher
            incidence of malware, so I think we can safely write "security
            through obscurity" off as a possible reason.

            cheers, Mark
          • re:Not really

            >>>...A variety of unusual OS's and even various Linux distros, witha much smaller web footprints than Apple have a higher incidence of malware,..<<<

            Do you have any specifics to go with that overly broad and sweeping declaration?
          • true, but...

            There are a few possible reasons that come to mind as
            possibilities of explaining why there are so few attacks on
            Apple vs other OSs:

            1 - Every Mac user knows they're using an alternative
            system. If they decide they hate the Mac, they can switch
            to Windows.
            2 - Mac users like Apple more than most PC users like
            3 - The software is written with more security in mind.
            4 - The lower market share.

            It's quite possible that all three of these factors contribute
            to the overall security Apple's software has seemed to have
            over the years.

            But you must admit, it's quite extraordinary that there
            haven't been any huge attacks on OS X.

            The simple fact is, the number of attacks should be
            proportional to the user base. The Mac should still have at
            least 1/100 the number of viruses on Windows. The fact
            that it doesn't should be a clear sign to all that it's more
            secure, or at least, it was.

            I think part of the mentality is that the Mac is an
            alternative. People who don't like it can use Windows
            instead. But when people (i.e. programmers) feel like they
            have no choice but to use Windows and they hate it, that's
            when viruses are written.

            Note: I am a Mac-user. And yes, the Mac does have
            problems, especially Leopard, but I still couldn't imagine
            hating it enough to go back to Windows.
      • As a long time Mac user

        I have to thank you for highlighting and explaining this issue,
        as should anyone that really cares about the platform and its
        security. There's so much bullship criticism of Apple that it's
        very important to support valid criticism such as yours so it
        doesn't get lost in the noise. I'm hoping Apple takes notice
        very soon.
        Marcos El Malo
        • Here, here!

          >As a long time Mac user I have to thank you for highlighting and explaining this issue, as should anyone that really cares about the platform and its security

          Indeed. As a long time Mac user myself, this concerns me. Not so much the part about putting the file(s) on my desktop or downloads folder because I'm always warned that the file was downloaded from the net and could be dangerous, but because it could be disguised as something I might run due because it appears legitimate.

          If it said "Critical Safari Update" I *might* fall for it. I'd be puzzled because those updates come through the software updater, and I'd probably go check it out, but then again, maybe not.

          I'm glad they agree it has to be fixed. I also agree they should fix it sooner. The fact that it has been exposed makes it far more likely that someone will try to do this. Get on the stick, Apple!