News Blog Subscribe to News Blog

May 15, 2008 2:32 PM PDT

Apple dismisses Safari vulnerability

Posted by Elinor Mills

Safari users are at risk of littering their desktops with malicious software because the browser does not ask for user permission when downloading files in the way that Firefox and Internet Explorer do, a security researcher said Thursday.

In a blog post titled "Safari Carpet Bomb," Nitesh Dhanjani describes how a rogue Web site can easily download resources to the Windows desktop or downloads directory on the Mac.

"Apple does not feel this is an issue they want to tackle at this time," he writes.

An Apple representative told Dhanjani that an "enhancement request" for an "Ask me before downloading anything" preference would be filed with the Safari team. "Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads," the Apple representative wrote in an e-mail to Dhanjani.

That issue, coupled with the fact that Safari doesn't warn users when a local resource, such as an HTML file, attempts to invoke client-side scripting, creates a risky situation for most browser users, Dhanjani said in an interview. "People are starting to expect more from browsers today," he said.

The Apple representative told him that the company has been "investigating the potential for a 'safe' mode for local HTML."

Meanwhile, Apple does plan to fix a high-risk security vulnerability that Dhanjani discovered. It could be used to remotely steal local files from a user's file system.

An Apple spokesman did not return a phone call and e-mail seeking comment.

"Since Safari does not know how to render content-type of blah/blah, it will automatically start downloading carpet_bomb.cgi every time it is served. If you are using Safari in Windows, this is what will happen to your desktop once you visit http://malicious.example.com/," Dhanjani writes in explaining this screenshot.

(Credit: Nitesh Dhanjani)

Topics:: Apple,; Security

Tags:: Apple,; security,; Safari,; browser

Bookmark:: Digg; Del.icio.us; Reddit

Recent posts from News Blog: Apple MacBook: Change is in the Air; Confessions of a Bluetooth convert; iPhone 3G queue forms in Manhattan; Privacy advocates praise Google's new link; Ask.com closes Dictionary.com deal

Add a Comment (Log in or register) 16 comments (Page 1 of 2)


by Thomas, David May 15, 2008 3:26 PM PDT: Holy smokes. In fact, what ARE you smoking? This is a strange argument indeed. I already know, and expect client-side scripting for many, many reasons. However, I also know that scripting is sand-boxed. Did you EVEN think about what is allowed before your wrote your article, or did you simply make the ill-informed assumption that all client side scripts are bad. I have blast you over the downloads as well, warnings DO popup concerning files that are detected to contain disk images, and executable files. The ONE THING (well a lot more) that users can count on is the lack of nagging, meaningless messages that want to ask you if you want to scratch your butt, when using Apple software. One of the very things Vista is being blasted on is it's overuse of the same idea, that if you nag your users you are making them feel more secure. Well guess what, it's a false sense of security.; Reply to this comment View all 2 replies
Processing


by M C May 15, 2008 3:26 PM PDT: Alternate title: "CNet <3 security press releases" I sure hope CBS installs some journalism.; Reply to this comment


by estie2007 May 15, 2008 3:29 PM PDT: This is why I would never download Safari. It's too immature.; Reply to this comment


by john55440 May 15, 2008 3:48 PM PDT: In addition, Apple didn't bother to put any anti-phishing tools into Safari. From the folks who brought us the security bugfest QuickTime.; Reply to this comment View reply
Processing


by ittesi259 May 15, 2008 3:53 PM PDT: Even though I'm a Mac user, this is another example of why I use FireFox. On the PC side I use it too. And anyone who follows a site like macfixit.com or other Mac troubleshooting sites and has the objectivity to think about it, would see that Safari ranks up there in reasons for Mac headaches and stuff not working. My advice is not use it period.; Reply to this comment View reply
Processing


by helroth May 15, 2008 5:51 PM PDT: "it's instills, not installs you Dumbkopf." It's dummkopf, not dumbkopf, you moron.; Reply to this comment


by curiousgeorge1961 May 15, 2008 11:04 PM PDT: go to safari preferences--unclick "open safe files after downloading"--so you get to decide what to open or not--also get the warning "files so and so contains an application, do you want to keep downloading it?' I think that's plenty of security; Reply to this comment


by JonB. May 16, 2008 8:35 AM PDT: At some point the user has to accept responsibility for their action or inaction, and even maybe learn the software they're using;.; Reply to this comment


by htoole318 May 16, 2008 8:36 AM PDT: Apple is a joke, the last hacker convention, they tried to break into vista, mac, and linux. No one even tried to get into linux, mac was broken very quickly and vista was only cracked when the permissions were turned down and even then, it was an adobe exploit that did it. Apple refuses to admit they are NOT a secure system, hackers just have ignored apples in the past due to an only 8% market share. Macs are nice systems, but c'mon, don't go around braggin about security and then call the above not a security issue...........; Reply to this comment


by ZiggyBop May 16, 2008 1:10 PM PDT: Hey tool. Think about it. The Safari hack you mentioned was done in under 2 minutes by directing Safari to a pre-convention established website. The hacker discovered the exploit and crafted a website prior to the timer starting at the contest. If this had been a Vista exploit, the hacker could have sold it for more than the convention prize. Why show it off at a convention? As Apple quickly plugged the hole, as they usually and easily do, there's no market for these hacks. There's no one making money off breaking into Macs, except hackers winning contests at conventions. There's still no reason for most users to run resource hogging anti-malware. The only reason to guard against malware on a Mac is to prevent passing windows malware via email in a mixed Mac/PC environment.; Reply to this comment

1 | 2 | Next 10 Comments >>

Powered by Jive Software

About News Blog
Recent posts on technology, trends, and more.

Subscribe to this blog
Click this link to view this blog as XML.

Add this feed to your online news reader

News Blog topics

Most popular stories

Latest tech news headlines

All News.com headlines »

Featured blogs

Beyond Binary by Ina Fried

Coop's Corner by Charles Cooper

Defense in Depth by Robert Vamosi

Geek Gestalt by Daniel Terdiman

One More Thing by Tom Krazit

Outside the Lines by Dan Farber

The Iconoclast by Declan McCullagh

The Social by Caroline McCarthy

Underexposed by Stephen Shankland

CNET.com

Welcome (log out) |View profile

Log in | Sign up Why join?

On GameFAQs: The top 10 natural laws ignored in games

Copyright ©2008 CNET Networks, Inc., a CBS Company. All rights reserved.
Privacy policy
Terms of use