Carpet bombing exploit spotted
June 11th 2008
In the ongoing saga that is the Safari carpet bombing issue, InfoWorld reports that a hacker has posted code that exploits critical flaws in the Safari and Internet Explorer.
"This is a bad thing," said Eric Schultze, CTO, Shavlik Technologies, a network security company. "If you've got Safari, you're in trouble."
Still, the source code for this exploit, along with a demo of the attack, was posted Sunday on a computer security blog. It can be used to run unauthorized software on a victim's machine.
This is a so-called "blended attack," where the payload is delivered via Safari and then exploited via a long-time vulnerability in Internet Explorer.
For the rest us, like so many security problems, this is a non issue--it only affects Windows users.
Windows users dumping on each other, who cares? Apple should for two reasons: 1.) Safari is an Apple product and is bringing the company's good name down, 2.) Safari on PC users are customers--take care of them.
It's true that the carpet bombing issue is only a nuisance in the absence of a known Internet Explorer vulnerability. However, although I don't know the specifics of implementation, it's said that Apple only needs to add a tick box to Safari (ie Are you sure you want to download these files?) and the problem would go away.
Why not fix it?
