Anti-malware group scolds Apple over Safari 'carpet bomb'
StopBadware.org sees problem as a security issue; Apple doesn't
Computerworld - An anti-malware organization has called on Apple Inc. to beef up its Safari Web browser to protect users from exploits that could let attackers download malicious code to a Mac or Windows user's desktop.
"StopBadware.org believes that users should have control over software being downloaded to their computers, and we encourage Apple to reconsider its stance and treat this as the security issue that it is," StopBadware.org said in an appeal posted to its Web site.
The group's concern centered around an issue made public a week ago by Nitesh Dhanjani, a security researcher and co-author of the book Network Security Tools (O'Reilly Media Inc., 2005). In a post to his own blog last week, Dhanjani spelled out what he called a "carpet bomb" attack possible via Safari.
According to Dhanjani, attackers could take advantage of the fact that Safari lacks an option to require a user's permission to download a file. Those attackers, Dhanjani claimed, could populate a malicious site with rogue code that in turn would automatically litter a user's desktop with malware.
Although Dhanjani praised Apple's security team for its rapid response to his queries, he also noted that the computer and consumer electronics maker passed on updating Safari to lock out such attacks.
After he suggested that Apple add a setting to Safari that could be toggled to ask the user before downloads are allowed, Dhanjani said he received this reply from the company's security group: "The ability to have a preference to 'Ask me before downloading anything' is a good suggestion. We can file that as an enhancement request for the Safari team."
However, the issue is not a security problem, said Apple. "Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads," the company said.
Other browsers, including Microsoft Corp.'s Internet Explorer and Mozilla Corp.'s Firefox, include options that prompt users before initiating downloads of some or all file types.
"Assuming Nitesh's analysis is accurate, 'unwanted downloads,' as Apple calls them, represent a serious security threat to users, who can be easily tricked into executing a malicious file," argued StopBadware.org.
The group has rebuked Apple before. In March, when Apple started using its software update utility to push Safari 3.1 to Windows users, StopBadware.org first noted the move, then later said that, following its usual practice, it had notified Apple it would soon issue a "badware" alert for the company's Software Update.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts