Proof of Concept "carpet bombing" exploit released in the wild

Proof of Concept "carpet bombing" exploit released in the wild

Summary: In what appears to be an attempt to provoke Apple to reconsider its currently passive position on the severity of the dubbed as "carpet bomb" flaw, a working Proof of Concept exploit code has been released at Liu Die Yu's security blog :Nitesh Dhanjani discovered that Safari for Windows puts downloads automatically to Desktop and argued this can potentially make a mess of Desktop, naming it the effect of "Safari Carpet Bomb".

SHARE:

In what appears to be an attempt to provoke Apple to reconsider its currently passive position on the severity of the dubbed as "carpet bomb"Apple Safari flaw, a working Proof of Concept exploit code has been released at Liu Die Yu's security blog :

Nitesh Dhanjani discovered that Safari for Windows puts downloads automatically to Desktop and argued this can potentially make a mess of Desktop, naming it the effect of "Safari Carpet Bomb". Later Microsoft issued an advisory stating "remote code execution on all supported versions of Windows XP and Windows Vista" and "Aviv Raff for working with us and reporting the blended threat of Safari and Microsoft Internet Explorer". Aviv Raff posted on his blog "Safari pwns Internet Explorer", clarifying "this combined attack also exploits an old vulnerability in Internet Explorer that I've already reported to them a long long time ago".

The old vulnerability that Aviv Raff reported to Microsoft long time ago is described in two articles by Aviv Raff: IE7 DLL-load hijacking Code Execution Exploit PoC, and Internet Explorer 7 - Still Spyware Writers Heaven, both dating back to 2006(yeah that's really "a long long time ago"). This vulnerability lies in Windows Internet Explorer loading program library files(DLL) from user's Desktop instead of its own library file folder(usually C:\WINDOWS\SYSTEM32), when filenames are set to some specific values.

Liu's posts also mention a new security threat in Safari for Windows, different than the "blended threat" described by Microsoft, and summarizes the whole fiasco about who's responsible for what in short :

Safari for Windows puts downloads to Desktop by default without a dialog box(such as the "File Download" dialog box in IE). Well, this is in fact a quite reasonable and convenient feature - downloading and saving requested file to user's Desktop by default. This feature itself does not constitute a mistake. What really makes the "blended threat" is some problem in loading program library files(DLL) by Windows Internet Explorer(and probably others)

In a situation where researchers and anti-malware groups clearly demonstrate the possibility for abuse of this vulnerability, Apple's passive attitude taking into consideration the possible impact on the stereotype of their software's invincibility courtesy of their PR folks, can only be changed by going full disclosure with the exploit, no matter how much vendors hate it. Nothing's impossible, the impossible just takes a little longer, and so is finding bugs in software pitched as the most secure one.

How to protect yourself? Watch what you click on, change the default download location of the browser, or consider avoiding Safari for Windows until the flaw gets some attention at the first place, and hopefully gets fixed later on.

Topics: Windows, Apple, Browser, Hardware, Malware, Microsoft, Operating Systems, Security, Software

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • LOL

    The blog you link is titled:

    "Design Flaw in Windows Internet Explorer Allows Remote Code
    Execution From Safari for Windows"

    Yet, it's a Safari problem. No bias here, folks, move along.
    frgough
  • Changing download location not good enough

    As has already been publicly discussed, changing the download location in Safari is *not* sufficient protection. It may help slightly with one variant of the attack. However, the ability for Safari to download files (to anywhere) without prompting can be abused.

    And since the option isn't configurable, you're at a high risk if you use the browser at all.
    forrestgump2000@...
  • It seems MS had been a tad passive too.

    Considering the flaws were reported in IE in 2006.

    Also

    "Safari for Windows puts downloads to Desktop by default without a dialog box(such as the ???File Download??? dialog box in IE). Well, this is in fact a quite reasonable and convenient feature - downloading and saving requested file to user???s Desktop by default. This feature itself does not constitute a mistake. What really makes the ???blended threat??? is some problem in loading program library files(DLL) by Windows Internet Explorer(and probably others)"

    So rather than being a flaw in Safari, it is now being considered a feature. So in reading that, why should Apple act at all. It seems to me that MS needs to fix IE and Apple can leave its "feature" right where it is.
    A Grain of Salt
    • Sigh..

      Or perhaps if you take your Apple tinted shades off for ONE second you'll actually understand that Apple have screwed up and or really not rushing to fix quite a bad bug in their web broswer.

      Sheesh....seriously you Mac lot are vomit imducing with your total bias to Apple. I would hope it's people trolling for replies (in which case you got me) but I'm starting to understand that you actually believe in the rubbish you spout.

      I mean..everyone makes mistakes and Apple seem to be making a lot at the moment - they are the new MS it seems while MS are actually clearing up their act and producing good, solid SECURE systems...

      Just like Apple did in the past.

      All Apple need is their market share. Which ain't gonna happen.
      Average-IT-Guy
      • Take your MS glasses off first

        The blended threat uses flaws from 2006. That's a little older than Safari, why are the IE flaws still there?
        rpmyers1
  • Surprised

    It took this long? I expected it out a while ago.
    rpmyers1
  • I've banned all Apple software from my network

    I've also never been hit with any malware. Coincidence? I think not.
    NonZealot
    • Don't forget IE as well

      Seems it is just as bad.
      Bruizer
  • SOLUTION: don't install Safari AND don't put DLL on your desktop

    SOLUTION: don't install Safari AND don't put DLL on your desktop. If you haven't DLLs on your desktop, nobody can execute them.
    qmlscycrajg
  • This is ridiculous...

    Why do they always have to come up with new names for these problems every time. Don't we have enough names and acronyms already?

    This is ridiculous...

    And this is probably not a big problem so I think that we will have to wait a while for a fix. But I guess the "MEDIA" will be all over it when it's released. So I'm sure I will know about it when it happens.
    Viklund
  • RE: Proof of Concept

    I don't understand how people could think this is not a security flaw on Apple's part if Safari could automagically download a file without your consent... You don't even need to click "OK" or "Save".

    This sounds like a huge bug already.
    Samic