Other World Computing
Feature Graphic
The Apple Watch
Feature Graphic
Switching to iPhone 6 Plus, Apple Watch Role Playing, Over-Under + More
Feature Graphic
iPhone 6/6+, Hot Thighs and Tights Pants, What's Wrong with iPhone Lines
Feature Graphic
How to get photos on to iOS 8 iCloud Photo Library
Feature Graphic
iPhone pre-orders, iOS 8, Tim Cook Interview + More
IGM Logo

| Home | Contact | Advertising | Search | Submit


Safari flaw spawns new security furor [u]



By

With the iCal security controversy still echoing, a different issue, this time involving Apple's browser, is ratcheting up the hype, with Microsoft publicly stating that Windows users should avoid the application until a patch is produced.

The Safari carpet bomb attack (ZDNet, May 15) isn't a vulnerability per se, only serious annoyance and not a way for an attacker to take over a computer. As of this writing, a "rogue website" could cause hundreds of files to be downloaded to a user's desktop or downloads folder.

Apple isn't concerned and has said they're not going to patch the issue any time soon. Others are demanding action.

Apple Store


Those demands didn't get much attention until yesterday, that is, when Microsoft issued an advisory (The Register) to Windows users saying that they should avoid Safari until the issue is addressed by either Redmond or Apple.

Although there's isn't an attack vector, Microsoft is concerned that should one be developed, a user could find himself deluged under a barrage of hundreds of simultaneously executing files. Alternately, Microsoft could be making a point about how seriously they take "security" as opposed to Apple.

Still, the nut of the issue, according to security expert Nitesh Dhanjani (ZDNet), is this:

It is possible for a rogue website to litter the userís Desktop (Windows) or Downloads directory (~/Downloads/ in OSX). This can happen because the Safari browser cannot be configured to obtain the userís permission before it downloads a resource. Safari downloads the resource without the userís consent and places it in a default location (unless changed).

Apple won't create a tick box. That's the point. But, users almost universally ignore tick boxes and Apple's choosing to go with the "wisdom of the crowd," which is all well and fine until an actual attack vector appears and those hundreds of downloads begin executing (and we actually need that tick box).

Then again, no one seems to be discussing the probability of anyone creating such a vector (Are we talking about toddlers randomly combining pieces of code or would it require a multi-year NSA skunkworks project to get it done?).

[u] For Windows users, at least, an attack vector for the "carpet bombing" vulnerability now exists. A so-called "blended attack," requires that a user have both Internet Explorer and Safari installed.

Here's the dope from Aviv Raff:

This combined Safari/IE vulnerability might still be successfully exploited, even if the user will change Safari's download location. Also, the Safari "Carpet Bomb" vulnerability can be used in combination with vulnerabilities in other products, so even if MS fixes their vulnerability,† Safari users will still be vulnerable ... The current best solution is to stop using Safari until Apple fixes their vulnerability. [u]

But, wait, isn't the lack of a real or likely attack vector one of the bitter issues between Apple and Core Securities vis-a-vis iCal? Yup.

The signal to noise to echo ratio is getting absurd...

eMusic: 25 Free MP3 Downloads!
No DRM, No Restrictions, No Problem!


Trans Intl

Spacer

Connect with Insanely Great Mac


spacer

Recent Articles

- Apple Watch Review Diary - Battery: First Full Week
- Podcast: Thoughts on the Apple Watch
- Apple Watch Review Diary - Notifications
- Apple's supply chain and the defective taptic engine part
- Apple Watch Review Diary - Fitness Features/Tracker
- Apple Watch Review Diary - Productivity Apps: OmniFocus, Trello, Evernote IFTTT
- Tattoos and Apple Watches may not mix
- Apple Watch Review Diary - Making/Receiving Phone Calls
- Apple Watch Review Diary - Siri
- Apple Watch Review Diary - Maps/Navigation
- Apple Watch Review Diary - The Controls
- Apple Watch Review Diary - The Hardware
- Apple Watch Apps, shipping issues, pop culture reactions
- Some practically useful early Apple Watch apps
- Ars: Inside Apple's ResearchKit
- Apple VP Angela Ahrendts sends video message on Apple Watch to retail employees
- Keynote, PowerPoint apps add support for Apple Watch
- How Apple Watch measures your heart rate
- AnandTech review of new MacBook
- Podcast: Apple Watch try-on experience, new MacBook
- 1Password 5.4 for iOS brings Apple Watch support
- Reddit Infographic visually describe Apple Watch UI
- Andy Hertzfeld on latest Jobs biography
- OWC Envoy Pro mini brings up to 480GB on a USB 3.0 stick
- Apple sets June 8th for WWDC


Browse and search for more articles

Insanely Great Mac Logo

IGM Specials

Mercury Extreme SSD
60GB - $48.79
120GB - $73.79
240GB - $128

480GB - $228

960GB - $649

iMac RAM (Retina)
8GB Kit - $78
16GB Kit - $160
32GB Kit - $320

External Storage
500 GB - $129
1 TB RAID - $239
Mobile RAID - $199

Power2U AC/USB Wall Outlet - $20

MacBook Drive Caddy - $39

MacBook Pro Memory
8GB - $96
16GB - $179

Radeon HD 7950 GPU
$448

iSchmutz Air Filter
$24.99


Trans Intl

Other World Computing





Home

About

Advertising

Search

Copyright 1995-2015 Insanely Great Mac. All rights reserved.
Privacy Statment | Terms of Service | Editorial Policy