Anti-malware group: Apple refuses to fix big Safari security hole

StopBadware.org, a prominent anti-malware group, says Apple has refused to fix a serious security hole in Safari, even though it puts users at a big risk. The hole, a so-called "carpet bomb," could be used by Web sites to flood a PC or Mac with malware.

According to Computerworld, StopBadware.org has asked Apple to fix the hole, but Apple so far has refused.

The hole was first made public last week by security researcher Nitesh Dhanjani. According to Computerworld's article, here's how Dhanjani says the capet bomb works:

Attackers could take advantage of the fact that Safari lacks an option to require a user's permission to download a file. Those attackers, Dhanjani claimed, could populate a malicious site with rogue code that in turn would automatically litter a user's desktop with malware.

Dhanjani has a simple fix: Add a setting to Safari that would allow people to ask to be prompted before a file downloads. Both Internet Explorer and Firefox include this option.

Apple, however, pooh-poohs the security threat. It won't rush to fix the hole. Instead, it will treat it as a possible future enhancement. Dhanjani sent emails to Apple, asking them to add the download prompt option to Safari. Here's what Apple said in response to Dhanjani’s emails, according to StopBadware.org:

We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.

In other words, we'll get to it when we'll get to it, if we want to get to it. So don't hold your breath.

StopBadware.org has this to say in reply in its blog:

Assuming Nitesh’s analysis is accurate, "unwanted downloads," as Apple calls them, represent a serious security threat to users, who can be easily tricked into executing a malicious file. StopBadware.org believes that users should have control over software being downloaded to their computers, and we encourage Apple to reconsider its stance and treat this as the security issue that it is.

StopBadware.org, by the way, is no fly-by-night operation. Among its founders are Google, Sun Microsystems, and Lenovo.

Why won't Apple take the group, and the security hole, seriously? That's hard to know. In the past, though, the company has refused to acknowledge other potential security problems, such as when it used a technique to get people to download Safari that some considered a malware-like practice.

I chalk it up to arrogance. Apple doesn't like to admit it makes errors, even when, as in this case, their errors endanger users.

rss_bug.jpg

Like this blog? Subscribe to the RSS feed!

Related Blogs by Preston Gralla:

Windows Safari users: Hackers have you in their cross-hairs

Security pro: Kill Safari browser now

Apple's underhanded Safari download scheme pays off

Copyright © 2008 IDG Communications, Inc.

Download: EMM vendor comparison chart 2019
  
Shop Tech Products at Amazon