IDG News Service - Two years after fixing a security bug in the Windows version of its Safari browser, Apple apparently has decided that Mac users can go without a fix.
Apple was initially unimpressed by Nitesh Dhanjani's work developing what's known as a "carpet bomb" attack, the security researcher said in an interview Monday. "I told Apple about it two years ago, and they responded back, saying it was more of an annoyance than anything else."
That turned out to be the wrong assessment. Soon after Dhanjani went public with the flaw in May 2008, another security researcher showed how carpet bombing could be combined with another Windows attack to run unauthorized software on a Windows PC. Apple then shipped a fix for Safari on Windows, but not for Safari on Mac OS X.
Nobody has shown how to do this on the Mac OS X version of Safari, but Dhanjani still thinks Apple should fix the issue on both platforms.
In a carpet bomb attack, the victim visits a malicious Web site, which then starts downloading unauthorized files to the victim's computer without any sort of approval.
"[W]hile most sane Web browsers warn the end user and ask for explicit permission before saving a file locally, Safari goes ahead and saves the file into the default download location without asking the user," he said in a blog posting, "even if hundreds of files are served up by the malicious website simultaneously."
Without conducting another attack, hackers still have no way to run the files on the victim's computer, but these unauthorized downloads still represent a security risk, Dhanjani said. "In this day and age ... the site shouldn't be able to drop anything it wants into my downloads folder."
Not everyone agrees, however. Noted Apple hacker Charlie Miller said that Dhanjani's bug is not serious because there is no second Mac OS X bug that causes downloaded files to be executed. "So basically, a Web site can start to download a bunch of files to your Downloads directory. This isn't an ideal situation, but then again, I don't see a lot of harm that comes from it," he said in an e-mail interview. "Especially, if the alternative is for the browser to nag me every time I want to download something."
Dhanjani believes Apple hasn't fixed the issue because it might annoy Mac users. "They're going after usability," he said. "Apple wants to make everything so seamless that they don't want the user to have to go through this extra process."
Apple did not immediately respond to a request for comment on this story. The company typically does not comment on security issues.
In a May 2008 e-mail message to Dhanjani, viewed by the IDG News Service, Apple's security team said it would consider adding an "Ask me before downloading anything" preference to Safari. "This will require a review with the Human Interface team," Apple told the researcher. "We want to set your expectations that this could take quite a while, if it ever gets incorporated."
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Malware and Vulnerabilities White Papers | Webcasts