Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Microsoft Urges Windows Users To Shun Safari

Posted by CowboyNeal on Sat May 31, 2008 08:58 AM
from the big-surprise-there dept.
Microsoft Businesses Operating Systems Security Software Windows Apple
benjymouse writes "The Register has picked up on a recent Microsoft security bulletin which urges Windows users to 'restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.' This controversy comes after Apple has officially refused to promise to do anything about the carpet bombing vulnerability in the Safari browser. Essentially, Apple does not see unsolicited downloads of hundreds or even thousands of executable files to users' desktops as being a security problem." Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you.
+ -
story

Related Stories

Firehose:Microsoft urges Windows users to shun Safari by benjymouse (756774)
[+] Safari "Carpet Bomb" Attack Code Released 118 comments
snydeq writes "A hacker has posted attack code that exploits critical flaws in the Safari and Internet Explorer Web browsers. The source code can be used to run unauthorized software on a victim's machine, and could be used by criminals in Web-based computer attacks, security experts say. The public example of the attack code allows attackers to litter a victim's desktop with executable files, an attack known as 'carpet bombing.' In combination with bugs in Windows and Internet Explorer, attackers can run unauthorized software on a victim's computer."
[+] IT: Apple Fixes Safari "Carpet Bomb" Windows Vulnerability 99 comments
Titoxd writes "Apple has released a new version of Safari that fixes the carpet bomb vulnerability in Safari 3.1 for Windows. This comes in the heels of Microsoft recommending against using Safari in Windows, as well as the release of code exploiting this vulnerability."
[+] IT: Safari "Carpet Bomb" Attack Still a Risk 117 comments
SecureThroughObscure writes "Just a short time after Apple's recent acknowledgment of and patch for the Safari Carpet Bomb 'blended' IE flaw, Microsoft researcher Billy Rios shows that Safari is still useful in a blended attack, this time with Firefox 2/3. (ZDNet's Nate McFeters also spread the word.) Rios claimed that he is able to use Carpet Bomb, despite the recent patch, to steal arbitrary files from victims who also have Firefox 2/3 installed. Both Rios and McFeters pointed out that Apple, which took some heat for not originally patching, actually did a good job of addressing the issue, as the code execution angle was not originally understood (the details came out later). Rios is withholding details of the new attack vector until Apple has had time to patch or respond to this issue."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Microsoft Urges Windows Users To Shun Safari 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Accidentents. (Score:5, Insightful)

    by Vectronic (1221470) on Saturday May 31 2008, @09:01AM (#23608951)
    "Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you."

    With hundreds of files on your desktop, what are the odds you'd hit one when you are just blanking out a selection, or deleting them, or frustratingly smack your mouse for [whatever reason]

    • Re:Accidentents. --lol (Score:5, Funny)

      by Vectronic (1221470) on Saturday May 31 2008, @09:02AM (#23608959)
      Time for bed.

        • Re:Accidentents. --lol (Score:5, Informative)

          by DAldredge (2353) <SlashdotEmail@GMail.Com> on Saturday May 31 2008, @12:09PM (#23610131) Journal
          From the linked article "Apple does not feel this is a issue they want to tackle at this time. In my most recent email to Apple, I suggested that they incorporate an option in Safari so the browser can be configured to ask the user before anything is downloaded to the local file system. Apple agreed it was a good suggestion: ...the ability to have a preference to "Ask me before downloading anything" is a good suggestion. We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated. [credit to BK have-it-your-way Rios for suggesting the term "Carpet Bomb" to describe this issue]."

    • Re:Accidentents. (Score:5, Insightful)

      by dfm3 (830843) on Saturday May 31 2008, @10:09AM (#23609303) Journal

      With hundreds of files on your desktop, what are the odds you'd hit one when you are just blanking out a selection, or deleting them, or frustratingly smack your mouse for [whatever reason]
      Or, even worse, on purpose.

      First, imagine how many people would just blindly click on a new desktop icon just to "see what it does".

      Second scenario, most Windows users I know keep file extensions off by default, and keep dozens of shortcuts to executables on their desktop among various folders, downloaded files, and other clutter. Now what if the downloaded file were named "safari.cgi" or "iTunes.cgi", but all the user sees is Safari with a generic file icon. I know many people who would think, "hmm, the icon to my internets is messed up" and click it anyway.

    • Re:Accidentents. (Score:5, Interesting)

      by Znork (31774) on Saturday May 31 2008, @10:15AM (#23609329)
      Why even bother with executing them? I can imagine a whole host of marketing people thinking this is a great way to obtain prime advertisement real-estate.

      Getting an icon on a users desktop is something some companies pay a lot of money for. In fact, the ability to spam any download folder is probably something they regard as worthwhile.

        • Re:Accidentents. (Score:5, Informative)

          by recoiledsnake (879048) on Saturday May 31 2008, @12:36PM (#23610333)
          Wrong, Apple has been installing Safari on Windows users machine disguised as an update to iTunes/Quicktime. And iTunes has hundreds of millions of users. Even if 5% of them use Safari, it's a pretty big demographic.

    • Re:Accidentents. (Score:5, Insightful)

      by kitgerrits (1034262) * on Saturday May 31 2008, @10:17AM (#23609347)
      As a Linux user, I have to point out one thing in Microsoft's defense:
      Lately, it seems to tag executables that have been downloaded and warns you about it when you try to run them.
      Apparently, Safari does not have this mechanism, so users might assume it's a valid local icon.

      I still run Firefox, though.

      • Re:Accidentents. (Score:5, Informative)

        by MobyDisk (75490) on Saturday May 31 2008, @12:37PM (#23610347) Homepage
        It's funny that you say that, because on my MacBook Pro it is the exact opposite. Safari does this and Internet Explorer does not.

        Under OS X, when you click an installer image downloaded by Safari it says something like "The application 'Whatever' was downloaded from the Internet on {date}. Are you sure this is safe to open?'

        I sometimes use IE on Windows (for testing sites I develop) and I've never seen a comparable message from Internet Explorer.

        Maybe you are talking about IE on Vista and Safari on Windows?

      • Re:Accidentents. (Score:5, Funny)

        by Hal_Porter (817932) on Saturday May 31 2008, @10:41AM (#23609489)

        This won't give admin rights to the app. UAC to the rescue.
        If the Aliens in Independence Day had used Vista instead of OS X then UAC would have stopped the human virus running and they would have been able to complete their conquest of Earth.

  • MS says shun Safari? (Score:5, Funny)

    by DrHackenbush (1273982) on Saturday May 31 2008, @09:09AM (#23608995)
    Finally, something I we can agree on.

  • 1, 2, 3 ... SHUN! (Score:5, Insightful)

    by Anonymous Coward on Saturday May 31 2008, @09:18AM (#23609031)

    Wow. Have to admit I'm on Microsoft's side here. Let's see:

    1. automatically download browser as an update whether user likes it or not;
    2. have the audacity to set the browser as default, again whether the user likes it or not;
    3. introduce vulnerability;
    4. ...
    5. errr, no.

    It's not just the vulnerability that hurts, but the compund bullshit caused by Apple's -- rather arrogant -- actions. This reads like something Microsoft would do!

    Also, vulnerabilities in Apple software (and this bug affects both Windows and Mac), make all *nix stuff look bad: watch MS shills roll out the 'Microsoft software is only vulnerable because hackers target it' FUD in short order.

    Posting as AC due to Apple fanboy-mods. Modding this down doesn't stop it being the truth.

    • This reads like something Microsoft would do!


      And that's no wonder. Steve Jobs and Bill Gates were cut with the same scissors. Back in the 80's, while Billy kept stealing whatever idea he stumbled upon, Steve Jobs only thought of becoming more powerful and promote a competitive environment inside Apple, even if that destroyed the moral of his employees.

      Please do yourselves a favor and watch Pirates of Silicon Valley [imdb.com]. It's an enlightening movie. And yes, Steve did even worse things, but they're too shocking to be mentioned in public.

    • Such as...? (Score:5, Informative)

      by Animaether (411575) on Saturday May 31 2008, @09:20AM (#23609041) Journal
      A list of actual drive-by vulnerabilities in current Internet Explorer (name-calling went out of vogue when you reached the age of 15, man. You are at least 15, right?) that allow for code execution on the client to substantiate your claim, please.*

      Now if you want to point fingers, visit that Dhanjani link and read about the vulnerability he's not disclosing, as a courtesy to Apple; "The third issue I reported to Apple is a high risk vulnerability in Safari that can be used to remotely steal local files from the user's file system [...] it is a high risk issue affecting Safari on OSX and Windows". There hasn't been an update to that in the past 2 weeks, implying that it has not yet been fixed.

      The Slashdot headline is pure flamebait and you took it.

      • Re:Wow. Just wow. (Score:5, Insightful)

        by NewbieProgrammerMan (558327) on Saturday May 31 2008, @09:08AM (#23608987) Homepage

        Apple just needs to turn the tables and tell people to shun IE and use Firefox/Opera/what have you, is all.
        Or, maybe, you know, fix their security holes.

        • Re:Wow. Just wow. (Score:5, Insightful)

          by JanneM (7445) on Saturday May 31 2008, @09:41AM (#23609155) Homepage

          Or, maybe, you know, fix their security holes.
          It's Apple. By definition anything they make is perfect in any conceivable way. If Safari allows forced downloads of thousands of executables, then it is because all web clients really should, and Apple is the only company with the vision, the foresight, and the polo sweaters to implement it. Just ask any Apple fanboy in your neighbourhood; he'll tell you.

          • Re:Wow. Just wow. (Score:5, Insightful)

            by erikina (1112587) <eri.kina@gmail.com> on Saturday May 31 2008, @09:33AM (#23609107) Homepage
            Because they don't give you permission to? And even they did, no one would bother without the source.
            I think that anyone who gives a shit, has moved away from proprietary web browsers. (And yes, I'm aware their rendering engine is under GPL as it's based on KHTML or w/e)

                • Re:Wow. Just wow. (Score:5, Informative)

                  by 99BottlesOfBeerInMyF (813746) on Saturday May 31 2008, @11:19AM (#23609757)

                  Just to clarify the cause effect relationship, that is not clear enough for me in the parent. KHTML, that is Konqueror's core, is open source, free software, and easily reusable. That's why Apple forked the project and uses it as a part of Safari.

                  Just to clarify your clarification. Apple forked KHTML, which was developed by the Konquerer team, and named their fork WebKit, which is also free and open source. Since then, the developers of KHTML have decided to abandon KHTML in favor of WebKit themselves and are integrating WebKit into Konquerer. So Safari and Konqueror's rendering engine is named 'WebKit' not 'KHTML'.

        • Re:doesn't work? (Score:5, Insightful)

          by LuxFX (220822) on Saturday May 31 2008, @10:40AM (#23609481) Homepage Journal
          Not a security bug? The downloaded files go directly to the desktop.

          So, what if a site triggers an automatic download of a file called "My Computer.exe" to an XP computer, using the typical My Computer icon. Will a casual user be able to tell the difference? One click will take them to My Computer, another might install a spam zombie. Now think of a user with 500 extra My Computer icons. Which do they choose?

              • Re:doesn't work? (Score:5, Funny)

                by that this is not und (1026860) on Saturday May 31 2008, @11:02AM (#23609643)
                Since I voted for George Bush (twice) and Bill Clinton (twice!) I classify MYSELF as a terrorist. I've certainly done enough damage to the country to sit the next election cycle or two out. heheh I need to be careful since whichever lame tool I vote for gets elected....

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.