Researcher keeps 'carpet bomb' attack alive, despite patch

Security research Billy Rios posted an article today about the Apple Safari "Carpet Bomb" attack, discussing a new issue that, despite the patch which prevented a "blended" remote command execution attack when Safari was used in conjunction with IE on a Windows system, keeps the "Carpet Bomb" attack alive and well.

Rios mentioned on his blog that when Safari is used on a system that also has Firefox 2/3 installed, could lead to providing an attacker the opportunity to steal arbitrary files from the filesystem.  Rios stated that he would not go into further details at this time, as the issue is not fixed by the current Safari patch; however, he did mention that Firefox 3 is vulnerable, but has some protections that help mitigate the issue somewhat.

See more below.

Apple took some heat over their original stance on the original "Carpet Bomb" issue; however, it is important to note that the remote command execution and this later arbitrary file stealing issues were NOT understood at the time of the original discovery.  I think kudos should be given to Apple for recognizing that the "Carpet Bomb" issue was more useful to attackers than previously thought, and actually getting a patch out in a pretty reasonable timeframe.  Hopefully we can expect more of the same from Apple with this newest reported "blended" attack.

"Blended" attacks seem to be the new hotness in the computer security research and hacking realms.  The idea being that you can steal pieces from here and there that will render mitigations and outright security models ineffective.  Recent examples of this might be John Heasman's anti-DNS pinning in Java leads to arbitrary command execution, the use by several researchers of Java and other technologies to bypass DEP protections in browser exploits, Rob Carter's XSS on locally running web servers, etc.

Rios makes a wonderful set of statements about these "blended" threat attacks and what they mean to users, which I've paraphrased (and bolded key statements) below:

"Now, these types of vulnerabilities are a perfect example of how the all the software and systems we use are part of a giant ecosystem.  Whether we like it or not, the various parts of the ecosystem are intertwined with each other, depending on each other.  When one piece of the ecosystem gets out of line, it can have a dramatic effect on the ecosystem as a whole.  A small vulnerability or even an “annoying” behavior from one piece of software could alter the behavior of 2nd piece of software, which a 3rd piece of software is depending on for a security decision (The recent pwn2own browser -> java -> flash pwnage is a great example of this).  As the ecosystem grows via plugins, functionality, and new software, so does the attack surface.  Eventually, the interactions between systems and software become a gigantic mesh and the attack surface becomes almost infinite.

Now, a lot of people have criticized Apple for their inability to see the carpet bombing behavior as a security issue.  If Apple looked at their product (Safari) in isolation, maybe it wasn’t a high risk security issue to them and it was really more of an annoyance… its only when you look at the ecosystem as a whole do we start to see the security implications of this behavior.  Should we have expected Apple to threat model the risks of this behavior against their own products AND other third party products as well?  Can we reasonably expect them (or anyone) to have the requisite knowledge to truly understand how certain behavior will affect the ecosystem?

This brings us to a pressing question.  In the “real world”, users install products from multiple vendors.  Whose responsibility is it to examine the interaction between all these products?"

More wonderful work from one of the highest impact researchers of the last year and a half, and kudos to Billy for keeping the details out until Apple has a chance to address or at least respond to the issue.

-Nate