Why Apple must fix Safari 'carpet bombing' flaw immediately

Why Apple must fix Safari 'carpet bombing' flaw immediately

Summary: Apple makes a big deal -- and lots of funny commercials -- around the security profile of its products.  On the Safari download site,  the boast is that users get "worry-free Web browsing on any computer" because, in Cupertino's words, "Apple engineers designed Safari to be secure from day one.

SHARE:

Why Apple absolutely must fix Safari ‘carpet bombingÂ’ flawApple makes a big deal -- and lots of funny commercials -- around the security profile of its products.  On the Safari download site,  the boast is that users get "worry-free Web browsing on any computer" because, in Cupertino's words, "Apple engineers designed Safari to be secure from day one."

The company has done a nice job of adding exploit prevention mechanisms (ALSR and NX on Vista) to some of its Internet-facing products but when it comes to responding to legitimate security threats, Apple is light years away from living up to the messages in those commercials.

The Safari "carpet bombing" vulnerability is one current example of Apple really missing the boat about a serious issue affecting its customers.

Some quick background: Researcher Nitesh Dhanjani responsibly reports to Apple than it is possible for a malicious Web site to litter the user's Desktop (Windows) or Downloads directory (~/Downloads/ in OSX) with executables masquerading as legitimate icons.

[ SEE: Apple under pressure to fix Safari ‘carpet bomb’ flaw ]

This happens because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource. Safari downloads the resource without the user's consent and places it in a default location (unless changed).

Imagine using Safari on Windows to browse to a booby-trapped Web site and this happens to your desktop:

Why Apple must fix Safari ‘carpet bombing’ flaw immediately

Now, think through the ramifications.  Dan Kaminsky, via Twitter, puts it best:

Standard user rights are required to write to desktop. You know what else standard user gets to do? RUN CODE.

And another tweet from a clearly frustrated Kaminsky:

Adobe wouldn't call arbitrary desktop write not a problem. Sun wouldn't. HP wouldn't. Mozilla wouldn't. Apple is not special.

Arbitrary desktop write is a serious security vulnerability. It's not a mere irritant, as Apple contends.  This is a security flaw that needs to be fixed immediately instead of an enhancement request to come in a future upgrade.

As Robert Hensing explains, what happens when malicious hackers figure out that the "carpet bombing" bug could be chained to another vulnerability to do some serious damage?

Think about it:  A combo-attack where Dhanjani's Safari vulnerability is used to drop a nasty executable on your desktop and another (known or unknown) vulnerability used to run it.   Instant drive-by malware installation!

With this Safari flaw, the bad guys are 50% of the way to direct code execution of whatever binary they chose to run . . . all they have to do is find a way to get that dropped binary to run.  Will it happen?  Time will tell I suppose . . . seems rather risky to leave this vulnerability out there when it seems like it would probably be a rather easy fix.

Secure from day one?  Impossible.  Now, Apple, do something about it.

Meanwhile, if you use Safari on Windows, I have one piece of advice:  Don't.

Topics: Hardware, Apple, Operating Systems, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

85 comments
Log in or register to join the discussion
  • This is what I am talking about

    So many Apple fans will tell everyone that Apple is the most secure, but then turn to this blog and say "we never said that". I am not a hater, but I do hate when people try to come off as something they are not and Apple is doing that very much so the past few years. Secure from day one is a load of garbage and people that don't know any better just eat it up. Same goes for the commercials, they just say anything to get ahead. If Apple is so security minded how come itunes and quicktime are some of the most vulnerable apps out there and Apple will say all day long that is a windows issue not our software. I guess there are not too many stand up people running Apple that can live on truthful merits. There are vulnerabilities all over the software world and for someone to claim upfront that they will never have to re-visit the code on their software is doing us all a diservice.
    OhTheHumanity
    • My beef is...

      My beef isn't the fact that the software has a vulnerability. It's Apple's flippant response that doesn't match its marketing/pr messages.

      _ryan
      Ryan Naraine
      • Detached from marketing, it's still bad.

        Really, though, if the marketing message had a different
        emphasis, it still would be wrong to ignore the issue. I question
        (and change) the default setting in Safari which allows automatic
        opening of "safe" files. I have never known a system that
        unerringly knew when a file was safe or not.
        DannyO_0x98
        • Name on Byline? Official?

          If that means you're back on the beat, welcome back.
          DannyO_0x98
          • Thank you

            Yup, I'm back on the ZeroDay blog team with Nate and Dancho. Thanks for the welcome back.

            _r
            Ryan Naraine
          • Go Ryan, Go Ryan, it's your birthdate, it's your birthdate.

            I'm really glad to see you back Ryan.

            CHEERS !
            Intellihence
      • Agreed

        All software is flawed.... I can't imagine there's been many pieces of software of this magnitude that did NOT have security flaws. Here's the deal, this is not the first serious bug you'll have seen on Safari, and it is most certainly NOT that last, I can guarantee you of that as I have a few interesting things I'm looking at myself.

        What would be refreshing is to have companies not look at things like such a PR war. Accept there's a flaw, fix it as fast as you can, move on. Your users will thank you for it.

        On a side note, I've been thinking a lot about Null Ptr deref issues... Adobe has this great track record now of fixing those issues... probably in large part due to Dowd's exploit, but a lot of other companies do NOT fix these issues. Which has got me thinking, it just takes one. Just one piece of research showing that your app/OS is vulnerable due to some condition, and suddenly those thousands of null ptr issues that were ignored before are a HUGE problem. Hopefully companies start to get at this like Adobe has. Microsoft also seems to be on top of this type of issue.

        -Nate
        nmcfeters
    • Safari flaw

      I don't let my users install QuickTime or iTunes on their workstations, the same treatment I give AOL and RealPlayer.

      Apple's TV commercials are laughable, but not for the reasons Apple wants. They're laughable because they're so ridiculous.

      Before you brand me as a Microsoft fanatic, I am anything but. I don't allow Internet Explorer 7 on my servers, and configure Mozilla Firefox as user's default browser on their workstation. I have built desktops using Ubuntu 7.10 and 8.04, Mandriva 2008.1, XP Pro, and Vista Business.

      However, I can spend less than half the price of an iMac for a PC that performs the same as, and ususally better than, the iMac.

      The truth is what matters, not Apple or Microsoft, and in this case, the truth is that Safari has a serious security flaw.
      bb_apptix
  • Message has been deleted.

    D T Schmitz
  • The Company (apple) is not ready

    And never will. Apple is (and always as) all about smoke and mirrors. it is easy to be secure when no one is using your products. But now (thanks to a massive FALSE advetising campain and the undeserved succes of the iPod) that more peoples get con into buying a mac, it is a more tempting target for maleware writers and since Apple have no clue of any kind about security, the fun begin.....
    Mectron
    • Compared to who...

      exactly? Microsoft? You must be joking.
      SquishyParts
      • Apple fanboys are hopeless

        Guys like you are one of the main reason why i will always avoid Apple products.

        "exactly? Microsoft? You must be joking."

        Exactly compared to Microsoft.
        This is not because Mac OS X get much less exploits than Windows, that it is more secure.
        Apple has got 3 favorable circonstances up to now:
        1.Far less crackers hating them with a passion than Microsoft
        2.A much smaller market share than Microsoft especially in the enterprise market thus significantly reducing the interest of developping exploits for Mac OS X.
        3.Much less opportunities to get Application opening vulnerabilities because yes there are far less applications available for Mac OS X than for Windows

        Assuming their marketshare is increasing quite quickly, one day they will reach the critical point where they won't have these favorable circonstances anymore and then we shall see if Mac OS X will be even remotely as secure as the Windows of this time.
        timiteh
        • Get a clue

          It has nothing to do with market share and everything to do with the design of the OS. With OS X, the default user is not logged in as an admin with root access. And Vista's pitiful excuse for security - the endless hounding for confirmation of actions - is a poor fix to Windows weaknesses.
          rag@...
          • Thank you!

            NT
            cashaww
          • Pot to Kettle: You're Black...

            [b]It has nothing to do with market share and everything to do with the design of the OS. With OS X, the default user is not logged in as an admin with root access. And Vista's pitiful excuse for security - the endless hounding for confirmation of actions - is a poor fix to Windows weaknesses. [/b]

            You should invest in a few clues yourself.

            It's not about logging the default user in as admin.

            It's about the software doing stupid stuff - like "carpet bombing" your desktop or downloads directory, allowing all manner of files to show up on your hard drive without ANY sort of input from the user.

            Personally, I'd rather be nagged to death about a bunch of files some wanker's website was trying to download to my desktop than to have the crapware downloaded and executed on my computer.

            Face it, Apple's freaking WRONG here. Period. Get over it.
            Wolfie2K3
          • Tard

            The poster said that the reason there were no OS X viruses was due to market share. It's not. It's because Windows is poorly designed.

            How many OS X viruses have there been in the wild since it was introduced over seven years ago? Can you say NONE?

            Have fun with your virus collection unit.
            rag@...
          • re:Tard

            [i]The poster said that the reason there were no OS X viruses was due to market share. It's not.[/i]

            Since that cannot be proven one way or the other... stop stating it as fact. You don't know any more than he/she does.
            Badgered
        • Hopless? Fanboy?

          You seem to believe that the only reason that MS has the
          issues that it does are because of it's market share. MS
          shipping it's OS with Super user being the default set up & all
          ports open had nothing to do with it right? There were plenty
          of other incompetent moves & bad engineering decisions that
          led to the state of viruses & malware as they stand today.

          http://www.roughlydrafted.com/Oct05.5Flaws.html

          Marketshare & name calling! I would have to say you're
          delusional. Is Apple perfect? Nope. Is MS better at
          security...again you must be joking. There is plenty of
          evidence to the contrary. To deny it is to deny history & fact.
          Let's look at the last ten years of computing. Use what you
          want, really I don't care. Whitewashing facts & a track record
          of incompetence & bad decision making & saying it is all
          because of marketshare is pure fanboism.
          SquishyParts
        • Who cares WHY my Mac house....

          doesn't get robbed? The facts is that Windows has
          tens of thousands of attacks daily. Is there even
          ONE botnet made of Macs?

          It's not the theory that matters but the practice in
          daily life. That's no excuse for Apple not to
          immediately make what should be a simple fix to
          Safari.
          arminw
          • Stats Show Macs More Vulnerable

            According to ZDNet, Mac's OS X had more than 5 times the number of flaws per than Windows XP and Vista COMBINED in 2007, and most of those flaws were considered serious.

            Its amazing what marketing can do, isn't it?
            NameRedacted