ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Proof of Concept "carpet bombing" exploit released in the wild

By | June 11, 2008, 2:58am PDT

In what appears to be an attempt to provoke Apple to reconsider its currently passive position on the severity of the dubbed as “carpet bomb”Apple Safari flaw, a working Proof of Concept exploit code has been released at Liu Die Yu’s security blog :

Nitesh Dhanjani discovered that Safari for Windows puts downloads automatically to Desktop and argued this can potentially make a mess of Desktop, naming it the effect of “Safari Carpet Bomb”. Later Microsoft issued an advisory stating “remote code execution on all supported versions of Windows XP and Windows Vista” and “Aviv Raff for working with us and reporting the blended threat of Safari and Microsoft Internet Explorer”. Aviv Raff posted on his blog “Safari pwns Internet Explorer”, clarifying “this combined attack also exploits an old vulnerability in Internet Explorer that I’ve already reported to them a long long time ago”.

The old vulnerability that Aviv Raff reported to Microsoft long time ago is described in two articles by Aviv Raff: IE7 DLL-load hijacking Code Execution Exploit PoC, and Internet Explorer 7 - Still Spyware Writers Heaven, both dating back to 2006(yeah that’s really “a long long time ago”). This vulnerability lies in Windows Internet Explorer loading program library files(DLL) from user’s Desktop instead of its own library file folder(usually C:\WINDOWS\SYSTEM32), when filenames are set to some specific values.

Liu’s posts also mention a new security threat in Safari for Windows, different than the “blended threat” described by Microsoft, and summarizes the whole fiasco about who’s responsible for what in short :

Safari for Windows puts downloads to Desktop by default without a dialog box(such as the “File Download” dialog box in IE). Well, this is in fact a quite reasonable and convenient feature - downloading and saving requested file to user’s Desktop by default. This feature itself does not constitute a mistake. What really makes the “blended threat” is some problem in loading program library files(DLL) by Windows Internet Explorer(and probably others)

In a situation where researchers and anti-malware groups clearly demonstrate the possibility for abuse of this vulnerability, Apple’s passive attitude taking into consideration the possible impact on the stereotype of their software’s invincibility courtesy of their PR folks, can only be changed by going full disclosure with the exploit, no matter how much vendors hate it. Nothing’s impossible, the impossible just takes a little longer, and so is finding bugs in software pitched as the most secure one.

How to protect yourself? Watch what you click on, change the default download location of the browser, or consider avoiding Safari for Windows until the flaw gets some attention at the first place, and hopefully gets fixed later on.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Safari, Carpet Bomb, Proof of Concept, Exploit Code, Full Disclosure, Liu Die Yu, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter
11
Comments
Add Your Opinion

Join the conversation!

Just In

Don't forget IE as well
Bruizer 12th Jun 2008
Seems it is just as bad.
View in thread
0 Votes
+ -
LOL
frgough 11th Jun 2008
The blog you link is titled:

"Design Flaw in Windows Internet Explorer Allows Remote Code
Execution From Safari for Windows"

Yet, it's a Safari problem. No bias here, folks, move along.
0 Votes
+ -
Changing download location not good enough
forrestgump2000@... 11th Jun 2008
As has already been publicly discussed, changing the download location in Safari is *not* sufficient protection. It may help slightly with one variant of the attack. However, the ability for Safari to download files (to anywhere) without prompting can be abused.

And since the option isn't configurable, you're at a high risk if you use the browser at all.
0 Votes
+ -
It seems MS had been a tad passive too.
A Grain of Salt 11th Jun 2008
Considering the flaws were reported in IE in 2006.

Also

"Safari for Windows puts downloads to Desktop by default without a dialog box(such as the ???File Download??? dialog box in IE). Well, this is in fact a quite reasonable and convenient feature - downloading and saving requested file to user???s Desktop by default. This feature itself does not constitute a mistake. What really makes the ???blended threat??? is some problem in loading program library files(DLL) by Windows Internet Explorer(and probably others)"

So rather than being a flaw in Safari, it is now being considered a feature. So in reading that, why should Apple act at all. It seems to me that MS needs to fix IE and Apple can leave its "feature" right where it is.
0 Votes
+ -
Sigh..
Average-IT-Guy 11th Jun 2008
Or perhaps if you take your Apple tinted shades off for ONE second you'll actually understand that Apple have screwed up and or really not rushing to fix quite a bad bug in their web broswer.

Sheesh....seriously you Mac lot are vomit imducing with your total bias to Apple. I would hope it's people trolling for replies (in which case you got me) but I'm starting to understand that you actually believe in the rubbish you spout.

I mean..everyone makes mistakes and Apple seem to be making a lot at the moment - they are the new MS it seems while MS are actually clearing up their act and producing good, solid SECURE systems...

Just like Apple did in the past.

All Apple need is their market share. Which ain't gonna happen.
0 Votes
+ -
Take your MS glasses off first
rpmyers1 11th Jun 2008
The blended threat uses flaws from 2006. That's a little older than Safari, why are the IE flaws still there?
0 Votes
+ -
Surprised
rpmyers1 11th Jun 2008
It took this long? I expected it out a while ago.
0 Votes
+ -
I've banned all Apple software from my network
NonZealot 11th Jun 2008
I've also never been hit with any malware. Coincidence? I think not.
0 Votes
+ -
Don't forget IE as well
Bruizer 12th Jun 2008
Seems it is just as bad.
0 Votes
+ -
SOLUTION: don't install Safari AND don't put DLL on your desktop
qmlscycrajg 11th Jun 2008
SOLUTION: don't install Safari AND don't put DLL on your desktop. If you haven't DLLs on your desktop, nobody can execute them.
0 Votes
+ -
This is ridiculous...
MrViklund Updated - 11th Jun 2008
Why do they always have to come up with new names for these problems every time. Don't we have enough names and acronyms already?

This is ridiculous...

And this is probably not a big problem so I think that we will have to wait a while for a fix. But I guess the "MEDIA" will be all over it when it's released. So I'm sure I will know about it when it happens.
0 Votes
+ -
RE: Proof of Concept
Samic Updated - 12th Jun 2008
I don't understand how people could think this is not a security flaw on Apple's part if Safari could automagically download a file without your consent... You don't even need to click "OK" or "Save".

This sounds like a huge bug already.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix