Firefox + Safari = carpet bombing pwnage


On Friday, Apple posted the Safari 3.1.2 for Windows update, which patched the Safari + Internet Explorer "blended" carpet bombing attack.

However, as it often goes with security matters, the worm has turned.

Windows security blogger Billy Rios has discovered that Safari + Firefox also provides an attack vector.

"There was a lot of discussion about how this behavior could be used in a 'blended" attack' with IE, but Safari's behavior affected more than just IE," says Mr Rios. "I've discovered a way to use the Safari's carpet bomb in conjunction with Firefox to steal user files from the local file system."

Cambridge SoundWorks


Although the improved security features of Firefox 3, ameliorate the threat to a degree, Rios states that there's still a way in to "pwn" a PC.

Yes, Apple originally refused to patch the Safari carpet bombing issue on its Windows version, but they eventually relented and delivered an update. This fix apparently is now in need of a separate fix to address a related issue with Firefox.

The folks at Mozilla, which patched an OS X 10.5.3 issue because it was the right thing to do™, are a responsive bunch, so I expect to see a patch from them pretty quickly.

And, no, this issue apparently doesn't affect Mac users.

Still should Apple issue yet another fix?

Props to Slashdot

Buy a Mac for college and get a free iPod touch.
Order online and get free shipping. Exp 9/15