Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


June 02, 2008

Microsoft Warns on Safari 'Carpet Bombing' Flaw

A Web Exclusive from WinInfo
Paul Thurrott
WinInfo
InstantDoc #99342
WinInfo
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

As if Windows users didn't already have enough good reasons to avoid Apple's Safari Web browser, Microsoft this week provided another, more important one: It can be used to trigger a so-called "carpet bombing" attack on users' PCs and running applications that could be used to take over the machine.

According to the search researcher who discovered the problem, the Safari carpet bombing flaw is actually one of three separate security issues he found in the browser in mid-May. Nitesh Dhanjani says he reported the flaws to Apple at that time, and Apple has pledged to fix one of the other flaws he discovered, but does not feel the carpet bombing flaw is "security related."

Dhanjani disagrees. "It is possible for a rogue Web site to litter the user's desktop [with executable applications]," Dhanjani writes in a blog post describing the flaw. "This can happen because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource. Safari downloads the resource without the user's consent and places it in a default location. The implication of this is obvious: Malware downloaded to the user's desktop without the user's consent."

Apple's response to Dhanjani suggests that the company isn't interested in tackling this problem anytime soon. "We can file that as an enhancement request for the Safari team," Apple told him. "Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated."

On Friday, Microsoft announced that it was taking the flaw more seriously because it is a "blended threat" that combines a Safari flaw with how the Windows desktop handles executables. "Microsoft will take the appropriate measures to protect our customers," a Microsoft security advisory reads. "This may include providing a solution through a service pack, the monthly update process, or an out-of-cycle security update, depending on customers' needs."

Microsoft recommends a workaround while it works on a solution: Reconfigure the default location where Safari downloads content to the local drive, as doing so will prevent the flaw from being exploited. I have a more elegant solution: Simply avoid Safari all together and use a browser that's written by developers who understand the security nuances of Windows better. I recommend Mozilla Firefox, but Internet Explorer 7 is acceptable as well.

End of Article

Reader Comments
AHAHAHAHAHA!!!!

what did i always say about Safari?

welcome to Kazaa 2.0 (all over again).

XP

Waethorn June 02, 2008 (Article Rating: )

"Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated."

That is my favorite line.

Can a website put whatever it wants on your desktop? YES!

Is this a security issue? No - because Apple products don't have security issues. They have UI issues.

Yup - Apple products are much more secure. Denying you have a problem is as good as fixing it.

jersey72 June 02, 2008 (Article Rating: )

This incompetence defines why I use Vista and Windows in general. Jobs does not give a damn about the Mac, Linux, or Windows Community. Jobs has beem all about himself and this "Me, Myself, and I" mentality jeopardises all that Apple's resurgence has accomplished. This lack of basic customer service and disrespect of the computer community hurts everyone. The Apple community especially the enthusiasts need both a climate and culture change. A greater respect to the histories, cultures, and senseabilities of Microsoft, Windows, PC history, and the greater PC world. A complete and sweeping OS redevelopment is in order. Instead of a 24 year outdated UI, something new and revoutionary/evolutionary is needed. Also, a non-Mac version is sadly overdue. Finally. a major shift in security response and approach needs to take root. Apple has been falling behind in security response since 2002. The Swiss research paper on zero day response proves it.

subzerohitman721 June 03, 2008 (Article Rating: )

This incompetence defines why I use Vista and Windows in general. Jobs does not give a damn about the Mac, Linux, or Windows Community. Jobs has beem all about himself and this "Me, Myself, and I" mentality jeopardises all that Apple's resurgence has accomplished. This lack of basic customer service and disrespect of the computer community hurts everyone. The Apple community especially the enthusiasts need both a climate and culture change. A greater respect to the histories, cultures, and senseabilities of Microsoft, Windows, PC history, and the greater PC world. A complete and sweeping OS redevelopment is in order. Instead of a 24 year outdated UI, something new and revoutionary/evolutionary is needed. Also, a non-Mac version is sadly overdue. Finally. a major shift in security response and approach needs to take root. Apple has been falling behind in security response since 2002. The Swiss research paper on zero day response proves it.

subzerohitman721 June 03, 2008 (Article Rating: )

This incompetence defines why I use Vista and Windows in general. Jobs does not give a damn about the Mac, Linux, or Windows Community. Jobs has beem all about himself and this "Me, Myself, and I" mentality jeopardises all that Apple's resurgence has accomplished. This lack of basic customer service and disrespect of the computer community hurts everyone. The Apple community especially the enthusiasts need both a climate and culture change. A greater respect to the histories, cultures, and senseabilities of Microsoft, Windows, PC history, and the greater PC world. A complete and sweeping OS redevelopment is in order. Instead of a 24 year outdated UI, something new and revoutionary/evolutionary is needed. Also, a non-Mac version is sadly overdue. Finally. a major shift in security response and approach needs to take root. Apple has been falling behind in security response since 2002. The Swiss research paper on zero day response proves it.

subzerohitman721 June 03, 2008 (Article Rating: )

Who was it that ranted on the Supersite blog that Steve Jobs is all about the consumer? Someone owes Waethorn an apology. To respond to Apple about this, I quote Sen. Biden responding to a Bush speech, "This is Bulls**t." Apple's decision is clearly anti-consumer. Microsoft clearly is the big winner thanks to the Blaster/Sasser worm fiasco. By being proactive and timely responsive to security issues, MS has turned a weakness to a strength. Published reports at PC World state that Vista's UAC is an excellent defense against rootkits. MS turned Leopard and Apple's security 5 minutes in spotlight into a joke. If or when a carpet bomb attack happens, expect the Windows community to rip up and laugh at Jobs and Apple. Not only at their arrogance but at the level of incompetence. It is long overdue to say this. The Mac fanboys/girls need to quit the useless whining and sheeplike devotion to a device. Instead of the status quo, a major redevelopment of the OS which feels 24 years old and still behind.

subzerohitman721 June 03, 2008 (Article Rating: )

Who was it that ranted on the Supersite blog that Steve Jobs is all about the consumer? Someone owes Waethorn an apology. To respond to Apple about this, I quote Sen. Biden responding to a Bush speech, "This is Bulls**t." Apple's decision is clearly anti-consumer. Microsoft clearly is the big winner thanks to the Blaster/Sasser worm fiasco. By being proactive and timely responsive to security issues, MS has turned a weakness to a strength. Published reports at PC World state that Vista's UAC is an excellent defense against rootkits. MS turned Leopard and Apple's security 5 minutes in spotlight into a joke. If or when a carpet bomb attack happens, expect the Windows community to rip up and laugh at Jobs and Apple. Not only at their arrogance but at the level of incompetence. It is long overdue to say this. The Mac fanboys/girls need to quit the useless whining and sheeplike devotion to a device. Instead of the status quo, a major redevelopment of the OS which feels 24 years old and still behind.

subzerohitman721 June 03, 2008 (Article Rating: )

Who was it that ranted on the Supersite blog that Steve Jobs is all about the consumer? Someone owes Waethorn an apology. To respond to Apple about this, I quote Sen. Biden responding to a Bush speech, "This is Bulls**t." Apple's decision is clearly anti-consumer. Microsoft clearly is the big winner thanks to the Blaster/Sasser worm fiasco. By being proactive and timely responsive to security issues, MS has turned a weakness to a strength. Published reports at PC World state that Vista's UAC is an excellent defense against rootkits. MS turned Leopard and Apple's security 5 minutes in spotlight into a joke. If or when a carpet bomb attack happens, expect the Windows community to rip up and laugh at Jobs and Apple. Not only at their arrogance but at the level of incompetence. It is long overdue to say this. The Mac fanboys/girls need to quit the useless whining and sheeplike devotion to a device. Instead of the status quo, a major redevelopment of the OS which feels 24 years old and still behind.

subzerohitman721 June 03, 2008 (Article Rating: )

Hey Subzero, some advice. Shut up.

You use Windows and are giving Apple advice on how to design their operating system? That makes as much sense as Apple users giving Microsoft advice on how design there's, lord knows they need to ditch the 15 year old start menu but that's my opinion. Frankly my family finds the Mac UI far easier to navigate than Windows Vista. Apple doesn't care about your wishes for a non-Apple approved Mac, it's not going to happen, ever. Apple is doing perfectly fine with their business model, despite what people like you have been saying for years that it was a slow death sentence.

I've seen you post here and on Paul's blog about how Mac is so insecure, but if that's the case why has my identity not been stolen? Why have I not been attacked? Oh that's right, hackers have ZERO interest in penetrating a paltry 3-5% of the overall market when Windows XP is still the mainstream, and frankly a gold mine for them. Face it, I'm safer on a Mac with all this big bag exploits than 99.99% of Windows users are.

I'm sure for the 12 Safari users on Windows this is horrible news, stop blowing this completely out of proportion you drama queen. Let's not forget the computer version of AIDS that is Internet Explorer 6 and the damage that has caused systems around the planet.

Reflections June 03, 2008 (Article Rating: )

"Simply avoid Safari all together and use a browser that's written by developers who understand the security nuances of Windows better. "

While I'm inclined to agree with you here, I'm also wondering why you've advised people to stay on the insecure Windows platform for so many years if you're really this concerned. The billions in lost productivity due to the "misunderstanding" of "security nuances" in Windows is staggering.

lotsamystuff June 03, 2008 (Article Rating: )

 See More Comments  1   2 

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
Battery Life Issues Almost Certainly Not Windows 7's Fault

While Microsoft is still investigating a notebook battery life issue that was supposedly caused by Windows 7, some interesting trends have emerged. ...

Confirmed: Battery Life Issues Not Windows 7's Fault

Microsoft on Monday issued a lengthy statement about the recent Windows 7 battery controversy, echoing my assessment from earlier in the day, but backing it up with hard, cold evidence. ...

Microsoft Warns of Windows Version Expirations

Microsoft warned that this year will see three out-of-date Windows versions slip into retirement. ...
Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events The Increasing Threat of Financially Motivated Data Theft

Introduction to Identity Lifecycle Manager "2"

SQL Server Security: How to Secure, Monitor & Audit Your Databases

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Collaborate with Confidence
Accelerate deployment and simplify Microsoft SharePoint management with EMC solutions and services.

Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Announcing Symantec Backup Exec 2010
With integrated deduplication and unified archiving technology.
Feb 25 - Are your IT Systems distributed? Or Convoluted?
Find out why integrated management solutions are more important than ever in today's IT environments and what criteria to consider when evaluating those solutions.

Virtualization Faceoff – Join the Discussion
Blogs, free poster, videos, community commentary – IT experts and peers face off on VMware & Microsoft virtualization solutions.

Should Your Email Live in the Cloud?
This Forrester report shows how-to calculate your on-premise email costs and compare with cloud-based alternatives and offers best practices for reducing email costs.

Exchange Server 2010: Deploying Unified Communications
register for this free virtual event and build your Unified Communications future on a strong Exchange Server 2010 foundation

New from Left-Brain.com - Manage VMware with PowerShell
Learn how to perform everything from simple ad-hoc reporting at the command-line to complex scripts that automate a massive deployment of hundreds of virtual machines.  Solve your old problems using less code than you thought possible!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2010 Penton Media, Inc. Terms of Use | Privacy Statement