Researcher keeps 'carpet bomb' attack alive, despite patch

Researcher keeps 'carpet bomb' attack alive, despite patch

Summary: Security research Billy Rios posted an article today about the Apple Safari "Carpet Bomb" attack, discussing a new issue that, despite the patch which prevented a "blended" remote command execution attack when Safari was used in conjunction with IE on a Windows system, keeps the "Carpet Bomb" attack alive and well.


Apple SafariSecurity research Billy Rios posted an article today about the Apple Safari "Carpet Bomb" attack, discussing a new issue that, despite the patch which prevented a "blended" remote command execution attack when Safari was used in conjunction with IE on a Windows system, keeps the "Carpet Bomb" attack alive and well.

Firefox 3Rios mentioned on his blog that when Safari is used on a system that also has Firefox 2/3 installed, could lead to providing an attacker the opportunity to steal arbitrary files from the filesystem.  Rios stated that he would not go into further details at this time, as the issue is not fixed by the current Safari patch; however, he did mention that Firefox 3 is vulnerable, but has some protections that help mitigate the issue somewhat.

See more below.

Apple took some heat over their original stance on the original "Carpet Bomb" issue; however, it is important to note that the remote command execution and this later arbitrary file stealing issues were NOT understood at the time of the original discovery.  I think kudos should be given to Apple for recognizing that the "Carpet Bomb" issue was more useful to attackers than previously thought, and actually getting a patch out in a pretty reasonable timeframe.  Hopefully we can expect more of the same from Apple with this newest reported "blended" attack.

"Blended" attacks seem to be the new hotness in the computer security research and hacking realms.  The idea being that you can steal pieces from here and there that will render mitigations and outright security models ineffective.  Recent examples of this might be John Heasman's anti-DNS pinning in Java leads to arbitrary command execution, the use by several researchers of Java and other technologies to bypass DEP protections in browser exploits, Rob Carter's XSS on locally running web servers, etc.

Rios makes a wonderful set of statements about these "blended" threat attacks and what they mean to users, which I've paraphrased (and bolded key statements) below:

"Now, these types of vulnerabilities are a perfect example of how the all the software and systems we use are part of a giant ecosystem.  Whether we like it or not, the various parts of the ecosystem are intertwined with each other, depending on each other.  When one piece of the ecosystem gets out of line, it can have a dramatic effect on the ecosystem as a whole.  A small vulnerability or even an “annoying” behavior from one piece of software could alter the behavior of 2nd piece of software, which a 3rd piece of software is depending on for a security decision (The recent pwn2own browser -> java -> flash pwnage is a great example of this).  As the ecosystem grows via plugins, functionality, and new software, so does the attack surface.  Eventually, the interactions between systems and software become a gigantic mesh and the attack surface becomes almost infinite.

Now, a lot of people have criticized Apple for their inability to see the carpet bombing behavior as a security issue.  If Apple looked at their product (Safari) in isolation, maybe it wasn’t a high risk security issue to them and it was really more of an annoyance… its only when you look at the ecosystem as a whole do we start to see the security implications of this behavior.  Should we have expected Apple to threat model the risks of this behavior against their own products AND other third party products as well?  Can we reasonably expect them (or anyone) to have the requisite knowledge to truly understand how certain behavior will affect the ecosystem?

This brings us to a pressing question.  In the “real world”, users install products from multiple vendors.  Whose responsibility is it to examine the interaction between all these products?"

More wonderful work from one of the highest impact researchers of the last year and a half, and kudos to Billy for keeping the details out until Apple has a chance to address or at least respond to the issue.


Topics: Security, Apple, Operating Systems, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Why isn't plain 'carpet bomb' bad enough?

    I can think of many ways to trick someone into double-clicking the wrong 'carpet-bombed' icon on their desktop, at which point the machine has been totally breached (hint: drop only one icon). Why isn't this already a bad-enough vulnerability? This has scared me away from using Safari for quite a while (the Quicktime vulnerabilities have scared me away from Macs).
    • Hum?

      I'm not taking sides, just asking, to me, a logical question.

      Don't understand your logic; those two things are keeping
      you away from Mac so why wouldn't the decades of
      malware, viruses, trogans, drive by infestation, spyware,
      and the like, keep you away from Windows?

      Seriously I'm not flaming you. Respectfully your logic
      escapes me.
      • Switching to Linux

        I'm in the middle of slowly switching to Linux, but an absurd amount of stuff is still stuck in Windows-land for me. (When they compare Windows' stickiness to crack, they're not kidding.) Oh well, I'm working on it.
      • Because...

        Microsoft didn't write "malware, viruses, trogans, drive by infestation, spyware,
        and the like" - hackers and script kiddies did.

        Quicktime and Safari were written by Apple.

        Besides, anyone can easily bypass the malware, etc. written by outsiders - install AVG (free and updates daily - automatically) and run as user.
        Confused by religion
        • Beautiful...

          Well put my friend...

          It seems like the mac fanboys/girls just don't get it...

          I must say I'm loving this right now...I'm probably the one Windows guy that wants to see Apple succeed...and by succeed I mean gain a big enough market share so that all these hackers and script kids will finally have a reason to hack a mac...

          it's coming...

          it's coming...
  • Is the attack really still "alive" ?

    Re-read BK's blog:

    "... Safari???s behavior affected more than just IE. In fact, I???ve discovered a way to use the Safari???s carpet bomb in conjunction with Firefox to steal user files from the local file system. Even though Apple has patched the carpet bomb..."

    Note that BK uses the past tense "affected." And also states that Apple has patched the carpet bomb. I believe the point is that it's not just Safari + IE that can provide a blended threat. But rather Safari + [foo] can be dangerous, IFF the version of Safari being used downloads files automatically.
    • Yes

      It def. still works, albeit not in exactly the same way. I can't comment more until Rios has released details.

  • Stay on top of this

    This is the type of security issue that really makes the web "unsafe". Keep after it until either Apple or Mozilla acknowledge and fix this.
    • Don't worry

      Rios and I have done a lot of research together. We've pointed out a number of flaws that people originally ignore, or push off as the fault of another vendor, but we stay steadfast and make sure issues get resolved.

  • RE: Security researcher keeps

    Maybe if Apple would finally admit that the DESKTOP is not where temporary files should go, that would help.

    I recall a short foray I had into OSX where I was endlessly annoyed that I kept getting PDF files dumped on my desktop anytime I viewed them in my browser!
    • There is the brilliance of Rios

      I don't the same thing before... I was downloading MS for Mac apps to try hacking into and ended up downloading some .exe's to my desktop without meaning to. I was annoyed, but didn't put 1 and 1 together and get 2.

  • MHO

    It was Apple's attitude towards their role in this flaw that aggravated me. More so than the flaw itself.
    Don't get me wrong, MS better fix their part of it too, but Apple's statement saying it was only an annoying occurrence that could "easily be stopped by just closing the browser" drove me insane.

    Yes, computers are ecosystems, and seemingly non-critical flaws can become critical when combined with other seemingly non-critical ones. If a vendor decides to write software for Windows they better make sure it's as secure as possible in Windows. If a vendor writes software for OSX, they better make sure it's safe in OSX. The same goes for writing for Linux, Unix, or any other OS out there.

    It is the responsibility of all vendors to get on the ball and fix any flaws that are found as soon as possible. At the very least they should never release statements saying "nothing to see here, move along, it's just an annoyance."
  • RE: Security researcher keeps

    You guys are full of crap...


    Why no apple bashing huh? A day after apple issues a patch for their security fuxup and already we find out there's still a gaping hole. Had this been Microsoft it would have been blown out of proportion. mac book pro can't even keep the time straight...ha...this is why u shouldn't throw stones at "windows" if you live in a glass house...i slay me

    btw: I run XP on my mac...i only use leopard because i HAVE to for school...
    • Who are you talking about?

      Geez I hope it's me. That'd be wonderful considering just a short time ago someone said the same thing about me with regards to Windows. If I can just get the same about Linux, I'll have the tripple play.