With the iCal security controversy still echoing, a different issue, this time involving Apple's browser, is ratcheting up the hype, with Microsoft publicly stating that Windows users should avoid the application until a patch is produced.
The Safari carpet bomb attack (ZDNet, May 15) isn't a vulnerability per se, only serious annoyance and not a way for an attacker to take over a computer. As of this writing, a "rogue website" could cause hundreds of files to be downloaded to a user's desktop or downloads folder.
Apple isn't concerned and has said they're not going to patch the issue any time soon. Others are demanding action.
Those demands didn't get much attention until yesterday, that is, when Microsoft issued an advisory (The Register) to Windows users saying that they should avoid Safari until the issue is addressed by either Redmond or Apple.
Although there's isn't an attack vector, Microsoft is concerned that should one be developed, a user could find himself deluged under a barrage of hundreds of simultaneously executing files. Alternately, Microsoft could be making a point about how seriously they take "security" as opposed to Apple.
Still, the nut of the issue, according to security expert Nitesh Dhanjani (ZDNet), is this:
It is possible for a rogue website to litter the userís Desktop (Windows) or Downloads directory (~/Downloads/ in OSX). This can happen because the Safari browser cannot be configured to obtain the userís permission before it downloads a resource. Safari downloads the resource without the userís consent and places it in a default location (unless changed).
Apple won't create a tick box. That's the point. But, users almost universally ignore tick boxes and Apple's choosing to go with the "wisdom of the crowd," which is all well and fine until an actual attack vector appears and those hundreds of downloads begin executing (and we actually need that tick box).
Then again, no one seems to be discussing the probability of anyone creating such a vector (Are we talking about toddlers randomly combining pieces of code or would it require a multi-year NSA skunkworks project to get it done?).
[u] For Windows users, at least, an attack vector for the "carpet bombing" vulnerability now exists. A so-called "blended attack," requires that a user have both Internet Explorer and Safari installed.
Here's the dope from Aviv Raff:
This combined Safari/IE vulnerability might still be successfully exploited, even if the user will change Safari's download location. Also, the Safari "Carpet Bomb" vulnerability can be used in combination with vulnerabilities in other products, so even if MS fixes their vulnerability,† Safari users will still be vulnerable ... The current best solution is to stop using Safari until Apple fixes their vulnerability. [u]
But, wait, isn't the lack of a real or likely attack vector one of the bitter issues between Apple and Core Securities vis-a-vis iCal? Yup.
The signal to noise to echo ratio is getting absurd...
No DRM, No Restrictions, No Problem!
- Tim Cook: Apple Watch in April
- Appleís Q1 Earnings
- 1Password gets update on Mac, iOS
- Cringely on IBM's massive restructuring
- Report: Apple Watch battery life may be around 19 hours
- Twitter launches recap feature
- Rogue Amoeba Audio Hijack get major overhaul
- Khan Academy brings lessons to iPad
- Evernote Scannable App
- Podcast: CES wrap-up of gadgets, ho or no adventures and more
- Looking at Flickr camera ownership for 2014
- iOS 8 beta previews Apple Watch companion app
- Lifeproof LiveActiv Battery Backup Case and Smart Mounting System - CES 2015
- USB 3.1 storage from Other World Computing - CES 2015
- ScanSnap ix100 portable/mobile scanner - CES 2015
- WEMO Zigbee products for doors, windows, smoke detectors, keychains, and more - CES 2015
- FLIR One thermal camera for iOS w/ Lightning Connector- CES 2015
- iDevices Switch offers iOS 8 HomeKit compatibility - CES 2015
- Upcoming Transwarp from OWC brings better than Fusion Drive to older Macs0 CES 2015
- Anova Bluetooth Sous Vide Cooker - CES 2015
- Mountie from Ten 1 Design mounts your tablet to your display - CES 2015
- iPin Laser pointer and iPin BTtogo presentation gadgets for iPhone - CES 2015
- Griffin Reversible USB cable in iPhone colors - CES 2015
- Griffin iTrip AUX Bluetooth and iTrip AUX AutoPilot for cars - CES 2015
- NuMount VESA adapter announced for newer iMacs
Browse and search for more articles