Forgot your password?
typodupeerror
Security Businesses Internet Explorer The Internet Apple IT

Safari "Carpet Bomb" Attack Code Released 118

Posted by timothy
from the nogoodniks dept.
snydeq writes "A hacker has posted attack code that exploits critical flaws in the Safari and Internet Explorer Web browsers. The source code can be used to run unauthorized software on a victim's machine, and could be used by criminals in Web-based computer attacks, security experts say. The public example of the attack code allows attackers to litter a victim's desktop with executable files, an attack known as 'carpet bombing.' In combination with bugs in Windows and Internet Explorer, attackers can run unauthorized software on a victim's computer."
This discussion has been archived. No new comments can be posted.

Safari "Carpet Bomb" Attack Code Released

Comments Filter:
  • Wrong section, eds! (Score:5, Informative)

    by himself (66589) on Wednesday June 11, 2008 @03:11PM (#23752865)
    This is a _Windows_ Safari problem, not an _OS X_ Safari problem. And yes I RTFBlogPost.
    • by Qwerpafw (315600) on Wednesday June 11, 2008 @03:34PM (#23753275) Homepage
      It's a Windows Internet Explorer problem, not a Mac OS X Safari problem.

      the "bug" is that Safari has the users desktop as the default download directory, and will automatically download files if you go to some websites. This is normal and fine behavior. The problem is that Internet Explorer loads files from the desktop on launch, which means if you craft a malicious library and put it on the desktop Internet Explorer will happily load it.

      Microsoft should fix IE to avoid loading files from the Desktop.
      • by oyenstikker (536040) <slashdot.sbyrne@org> on Wednesday June 11, 2008 @03:50PM (#23753573) Homepage Journal
        "This is normal and fine behavior."

        No, it isn't.
      • Even aside from the IE issue and "carpet bombing", silently downloading things to the desktop makes it very easy to create a hack such as a fake "My Computer.exe" icon.

        It really is bad UI behavior (on both Mac and Windows).
        • Silent is a misnomer. Safari opens it's download manager and starts its work. The other option is to do the whole OPEN or SAVE dance...and then open the download manager.
          • The download manager stays in the background and does nothing to notify the user, so it is effectively silent.

            And yes the "Open/Save Dance" is exactly what is supposed to happen before files are saved to the disk.
            • by deke_kun (695166)
              That is untrue. The Download Manager pops to front. The only situation in which it does not, is if it is already open from a previous download.

              As for the Open/Save Dance somehow being the ultimate solution to this, what do you think the average user (read: almost all users) does when they see an Open/Save box? They jam that OK key until it goes away and stops asking them a hard question. This effectively nullifies the criticism of the feature. It is worth noting that Firefox by default downloads files t
              • "Users are dumb", so let's make it even easier to rape dumb users! Yeah that makes perfect sense.

                Even aside from the security aspects, Safari's UI behavior is just stupid. Users can sit there pounding on a "Download" link with absolutely zero visual confirmation that something is actually happening. Love to see where that's spelled out in Apple's HIG.

                (Also forgot that this is the default behavior of Firefox (it can be turned off), and yes the social-engineering aspect is equally a problem there too.)
      • Re: (Score:3, Insightful)

        by Khyber (864651)
        No, the problem is that Safari doesn't utilize the functionality Windows has for marking files as safe or unsafe when it downloads something, thus allowing IE to open said files.

        Safari isn't implementing the basic security that is implemented in Windows.
        • Re: (Score:3, Informative)

          by gerardrj (207690)
          Marking the file safe or unsafe will likely not fix the issue. You aren't launching the DLL and IE isn't "opening it" like it would a bookmark or web archive or .jpg. It's including the DLL's code in to the execution environment of the parent process (IE) and thus bypassing any unsafe filesystem flag.

          Then again, maybe I'm wrong. If you download and install a printer driver, are you warned the driver is unsafe the first time your try to print?
          • by Khyber (864651)
            I'm warned the driver is unsafe if it's not signed upon installation, BEFORE I ever print.

            Also, IE's behavior for anything unsafe (Unless you SPECIFICALLY changed the setting in options) is to ask you or outright deny it, without regard to the parent process. Has been since IE5.5.
            • by gerardrj (207690)
              During the installation program's operation and printer setup process, yes.

              The process described is providing a raw DLL file that is being included from an insecure location without any verification, authorization or authentication.

              This has been verified by another poster in another thread: download the file with IE and put it on the desktop and the next time you launch IE, the exploit it enabled.
              • by Khyber (864651)
                It doesn't have to be IE run from the desktop - IE gives preferential treatment to loading what's on the desktop by default (Remember "Active Web Content" for your desktop back from Win98? That's where this problem comes from.)

                I've known about this attack vector for years. Even FAT-based systems are vulnerable. It's actually one of the flaws responsible for WinME dying so much (there was a hidden DLL on the desktop that if corrupted would totally fry ME because of the default being to load active web conten
        • by Lars T. (470328)

          No, the problem is that Safari doesn't utilize the functionality Windows has for marking files as safe or unsafe when it downloads something, thus allowing IE to open said files. Safari isn't implementing the basic security that is implemented in Windows.

          No, the problem is that you are confusing Safari with Firefox. Oh yeah, and that IE doesn't check the basic security that is implemented in Windows when it starts any old DLL on the Desktop.

          Don't believe me? Download the DLL from the page to your Desktop and restart IE - presto.

      • by Chas (5144) on Wednesday June 11, 2008 @04:43PM (#23754425) Homepage Journal
        No. It's a problem with Windows Internet Explorer that's exacerbated by a problem with Windows Safari.

        Safari should NOT be auto-dumping files onto the Windows desktop. PERIOD.

        There's enough blame to go around everywhere.
        • by ClassMyAss (976281) on Wednesday June 11, 2008 @11:53PM (#23759029) Homepage

          Safari should NOT be auto-dumping files onto the Windows desktop. PERIOD.
          Totally agreed. I'd go further - no website should be able to trigger any action on my computer that persists after I close the damn browser window without my explicit permission, apart from saving cookies and leaving an entry in my history log (even then, only if I've enabled both of these things).

          That said, IE is worse here - downloading files without my permission is bad form, but a pre-installed system app loading DLLs from any old place that it finds them, especially one of the most common places to dump downloaded files, is just idiotic.

          Shame on all.
        • if its working directory was set correctly. Normally it is set to the directory that the application is in and definitely shouldn't be set to the user's desktop directory.
    • by ruinevil (852677)
      Read the bolded text over there to your left. It says Apple, not OS X. Safari is made by Apple, and is needed for the attack. Most Windows users didn't even know what Safari was until it became part of an Itunes update, which was decided by... you guessed it, APPLE.

      Don't forget, Firefox/Gecko penetration is a lot lower on Windows than in Mac OS X. Windows users generally don't change their browsers from Internet Explorer.
  • by Manip (656104) on Wednesday June 11, 2008 @03:12PM (#23752885)
    Here are two very quick temp' workarounds for the issue.

    1) Launch IE from a location other than your desktop (e.g. Start Menu, Quick Launch Tray).

    2) Go to Program Files\Internet Explorer, Create Shortcut, and then place that shortcut on your desktop. Make sure the "Start In" setting is set to any location other than your Desktop.

    • Better yet... (Score:3, Insightful)

      by HerculesMO (693085)
      Best workaround is to use Firefox.
      • by IdeaMan (216340)
        Nobody seems to be making the other point:
        There's no reason they can't start going after other applications, say Microsoft C runtime, or a host of other system dlls.
        In that case it is likely that any application launched could have the problem.

        You would deliver the binary attack this way:
        1: Download evil comctl32.dll from malicious.nl to \downloads
        2: Download Utility.exe from opensource.org to \downloads
        3: Run Utility.exe from \downloads
        4: Machine is infected
        5: P.. nvm.

        Solution is to educate users that dlls
      • by deke_kun (695166)
        Firefox, whose default download directory is where?

        Granted it gives you an Open/Save dialog first, but since when do people read let alone understand dialog boxes?
    • by CastrTroy (595695) on Wednesday June 11, 2008 @03:34PM (#23753269) Homepage
      For me it runs even when launching from the quick launch bar, or from the start menu. For some reason, IE seems to like to load things from the desktop by default. For instance, to change your "view source" application from notepad to notepad++, you can put the following in a notepad.bat file on your desktop.

      C:\Program Files\Notepad++\notepad++.exe %1

      This problem seems to be two fold. First, Safari will automatically download stuff, to your desktop, without asking you. Secondly, IE will load DLLS from the desktop, just because they happen to have the same name as some other DLL it is looking for. I think the bigger problem here is with IE, because it doesn't matter how the dll got on your desktop, it shouldn't be using it.
      • Re: (Score:3, Interesting)

        by Khyber (864651)
        Do you know WHY IE likes to load stuff from the desktop?

        If you disable active web content on your desktop (thus only allowing .bmp backgrounds, IIRC) I'll bet half this wouldn't happen. IE is integrated into the desktop so for it to run shit from the desktop makes sense.
        • Re: (Score:3, Informative)

          Red herring. It's got nothing to do with "Active Desktop". It's just the way Windows executables typically look for .dll files -- starting with the current directory and then each path listed in the PATH environment var.

          In this case the shortcut to IE is launching the program with the user's desktop as current directory. First of all, it shouldn't -- probably it should be one level up from, there, in the user's home directory. Second, MS might want to rethink the way they hunt for .dll files for system

          • Re: (Score:3, Interesting)

            In this case the shortcut to IE is launching the program with the user's desktop as current directory.
            Hold the phone -- after several tests using CastrTroy's method, it appears that it doesn't matter one lick what the current directory is: IE will always give preference to executables on the desktop. 1) Eating crow and 2) Yikes! I still think Apple will be able to fix this first, and should.
  • This is not a security flaw in Safari, it's using what SHOULD be no more than a DOS attack on Safari to make an attack on the longstanding security flaws inherent in the Windows browser-desktop integration. The same flaws can be attacks with minimal social engineering ... convincing a significant number of users to download a file despite any warnings is NOT a hard process... the majority of malware over the past decade that have used related flaws in the Windows security model have managed to propagate usi
    • I am still boggled by the fact that Microsoft didn't fix the deep problems here ten years ago.
      The simple solution would be to provide a damn package manager, with public repositories and trustworthy install mechanism. People need to be educated out of grabbing any software from third party sources, unless they can't find it in the repository and they really need it and verified that it's a legitimate copy from a legitimate source.
    • by initdeep (1073290)
      Well killing off stupid users is sort of self defeating isn't it?
    • by brunascle (994197) on Wednesday June 11, 2008 @03:32PM (#23753241)
      I'd say it is a security flaw in Safari, but for different reasons. As the same blog explains [fc2.com], you could have Safari download an executable to the desktop that pretends to be e.g. Internet Explorer. If they normally launch IE from the desktop, they could click the fake IE next time, running arbitrary code.
      • by argent (18001)
        As the same blog explains, you could have Safari download an executable to the desktop that pretends to be e.g. Internet Explorer. If they normally launch IE from the desktop, they could click the fake IE next time, running arbitrary code.

        Yes, that's a standard part of a social engineering attack. This does make social engineering attacks easier, and should be fixed (let's start by downloading to something like %PROFILE%\Downloads instead of the Desktop). This is similar to the problem where Safari on OS X
      • Re: (Score:3, Informative)

        by Sloppy (14984)

        you could have Safari download an executable to the desktop that pretends to be e.g. Internet Explorer. If they normally launch IE from the desktop, they could click the fake IE next time, running arbitrary code.

        I'd call that a fundamental flaw with the Windows environment itself. It sounds like this "desktop" thing is used as both a temporary scratchpad for miscellaneous data from arbitrary untrusted sources, and as a repository for locally trusted executables. Someone at Microsoft needs to get it strai

      • Or, it could be a security invulnerability in Safari. Think about it: if everyone set up their websites so the latest Windows patches and a free anti-virus program would automatically download to the desktop and run the next time IE was opened, we could take down all the botnets and malware!
    • Re: (Score:2, Insightful)

      by anomaly256 (1243020)
      Just FYI, it's not the browser-desktop integration causing the problem with IE, it's how the win32 dynamic linking mechanism works
      • Re: (Score:3, Insightful)

        by argent (18001)
        Is it this one? "While trying to load some of those files, it does not provide the full path of the DLL file to the function which loads the DLL file to the memory, and therefore Windows will search for this file in the user's machine using the directories provided in the PATH environment variable, and will load the first match it will found."

        If so, why is %PROFILE%\Desktop in %PATH%?

        Oh, no, it's this one: "While this is true, the behavior of the "DLL Search Order" (when it's disabled) is to look for the DL
        • by Kalriath (849904) *

          Perhaps it's because the Internet Explorer icon on the desktop is a special case, because of the browser-desktop integration?

          Nah, that's crazy talk.

          You're right. It is. If you set Firefox to be your Internet icon (from "Set Program Access and Defaults") Firefox could potentially do exactly the same thing - because the Internet icon is a special case (like My Computer, Recycle Bin, My Network Places, and My Documents).

          The same issue could be raised using Windows Explorer (which has no integration with Internet Explorer).

          • by argent (18001)
            the Internet icon is a special case (like My Computer, Recycle Bin, My Network Places, and My Documents).

            Which is to say that it's the fault of browser-desktop integration, yesno?
            • by Kalriath (849904) *
              No. It's nothing to do with browser-desktop integration. Especially since the browser does not integrate with the desktop (though Explorer will render a single Shell Document Viewer interface on the desktop if Active Desktop is enabled).
              • by argent (18001)
                Tell me, Mister Bones, when did they make Internet Explorer a special case on the desktop?

                Why, it was in 1997, when they started the whole browser-desktop integration mess.

                Without that, they wouldn't have had any reason to treat it any different from any of the other apps they included on the desktop by default.

                Especially since the browser does not integrate with the desktop

                That's not what "browser-desktop integration" refers to.
    • I am still boggled by the fact that Microsoft didn't fix the deep problems here ten years ago.
      Why? Microsoft has the dominant market share. They got there (and are remaining there) even with the bugs, so there's really no incentive for them to devote developers' time to fix the bugs. Until their myriad of bugs start to erode their market share in a serious way, nothing will change.
      • by argent (18001)
        Every time I think I'm a cynical bastard some cynical bastard comes along and one-ups me.
  • Best Solution (Score:3, Interesting)

    by Skye16 (685048) on Wednesday June 11, 2008 @03:22PM (#23753073)
    Clearly the quickest way we can get Apple to fix this is to host this attack on all of our own websites, with the .exe in question being the uninstall program for Safari.

    As soon as the attack centers on an Apple product, they'll start moving their ass. Until then, it's "not [their] problem".
    • Re: (Score:3, Insightful)

      by Entropy2016 (751922)
      It's something Microsoft has to fix. The article is your friend.
      • Re: (Score:3, Informative)

        by Skye16 (685048)
        I'm sorry, but allowing a malicious website to provide hundreds or thousands of executables on my desktop is *still* an Apple bug. What's worse, it's the root cause. Yes, Windows and IE have a flaw that allow that file to be executed, but it wouldn't be there in the first place - especially in such quantity - if the flaw in Safari didn't exist first.

        As you say, the article is your friend.

        "The Safari bug, originally disclosed on May 15 by security researcher Nitesh Dhanjani, allows attackers to litter a vi
        • Re: (Score:3, Insightful)

          by oahazmatt (868057)
          Half of the problem is with Safari, the other half is with IE. Let's give credit where credit is due.

          If it weren't for Safari downloading the files to the desktop by default, they wouldn't get there.

          If it weren't for IE opening these files from the desktop by default, they wouldn't open.

          Now, if you'll excuse me, I'd like to feel completely secure. I'm going to go install my old copy of OS/2 Warp v3 and Netscape Communicator.
          • by Khyber (864651)
            No, the TOTAL problem is with Safari, which refuses to use Windows' ability to mark files as safe or unsafe after being downloaded. If Safari utilized that feature, this wouldn't happen in this particular fashion.
            • Then why isn't Windows doing it itself? Regardless of browser used.

              Would this happen with Firefox? Would this happen with Seamonkey? I'm just wondering... I don't honestly know, because I don't use Windows...

              It doesn't seem like Safari would turn off such a feature...
              • by Kalriath (849904) *
                The browser must do it itself, by writing an Alternate Data Stream (ADS) with the Zone Identifier (3 for Internet) the file came from.
              • It doesn't seem like Safari would turn off such a feature...
                Yes, clearly, this is something apple would NEVER try to do... you know, apple is against crippling competition. They're all about interoperability.

                They've even decided to let us use exchange on the new iphones!
              • Then why isn't Windows doing it itself? Regardless of browser used.
                Because an OS has no concept of a "download". All Windows knows is that some program (probably called safari.exe) is pulling bits in from the Internet, and writing them to disk. For all it knows, this is a logfile, or a cached certificate, or anything.

                It doesn't seem like Safari would turn off such a feature...
                No, it just didn't turn the feature on.
            • Re: (Score:3, Informative)

              by ClassMyAss (976281)
              Someone else posted somewhere here that it doesn't matter if the file is marked or not, and that if you download the file from IE or Firefox it is STILL picked up and loaded from the desktop by IE. Sounds like part of the problem is that dll's aren't being checked for safety before loading; whether this is a general "feature" in Windows or something IE specific, I have absolutely no idea, I haven't used Windows in a while so I can't check myself...
  • Why oh why, in two-thousand-freaking-whatever, do we still have issues like this? It's bad enough that Apple has "Open 'safe' files after downloading" enabled by default (and yes, they are the ones who put 'safe' into quotes, so it's not like they don't know) and being set to download files without prompting for confirmation is just as bad. We're getting into MS "Hey, let's automatically run attached executables!" territory here. Internet-related things need to be secure by default, period. (Yes, I know 'se
    • Re: (Score:2, Informative)

      by Anonymous Coward
      First, read the article.

      Second, this is about a Windows flaw that Safari has not addressed (rather Apple) in its current iteration. Apple's browser can be considered a "patsy" in this... and MS is trying to pass the buck (so to speak.)

      Third, the "open safe files after downloading" is old news. Get a new schtick. ;)

      And Fourth, grow up. This isn't about Apple's security, it's about Microsoft's... and Apple's inability to prevent "stupid is as stupid does" on a Windows machine. They're good... just not mira
      • by sootman (158191)
        First, I did read the article. In fact I read the first article [dhanjani.com] last month.

        Second, how is "Safari will gleefully download whatever the hell you throw at it" not an Apple issue? IE doesn't do this. Firefox doesn't do this. It only happens with Safari. How again is this not Apple's fault? True, it's up to IE to run the files, but it's Safri that allows them to be put there in the first place. I'd say both are equally to blame.

        Third, it's "old news" but it's still happening and it's still stupid. If there was
    • Silly mods. This may be flamebait, but it's far more insightful than it is incite-full ;) I vote for a re-tag.
  • by aristotle-dude (626586) on Wednesday June 11, 2008 @04:27PM (#23754153)
    Having Apple change the default location from ~/Desktop to something else only for windows would not solve the real problem. The real problem is that windows should be doing the flagging of the file as potentially unsafe and IE should not be loading DLLS placed on the desktop regardless of how they got there. It is not the responsibility of the browser to flag it a file as potentially unsafe. Windows should either provide a well documented API for setting an unsafe flag on downloads separate from any IE/IE7 code or windows should be monitoring downloads and flagging them.

    Regardless of what the default is in Safari or even Firefox, a user can still change that default to anything they want including the desktop.

    As others have pointed out, the downloads folder is a Leopard specific feature used by Safari when running under Leopard and the executable warning thing is also a Leopard feature.

  • by wattrlz (1162603) on Wednesday June 11, 2008 @04:56PM (#23754595)

    Personally I think the bigger issue is that Safari will auto-download, auto-mark-safe, and auto-run files silently. IE's broken too, but either one of the players involved could render this exploit moot. Let's see who responds first before stoning someone to death.

    I still don't see why someone would be browsing around in safari and then open up IE. A regular user's likely to only use his favorite browser and a dev who needs to view the same site in multiple browsers would probably notice that there're a bunch of new .dll files all over the desktop.

    • Re: (Score:2, Interesting)

      by mkramer (25004)
      Who uses safari for windows, period?

      But on my PC, I have mozilla as my default browser, but Picasa and Visual Studio still insist on using IE when it needs to do web stuff. I'm sure I could override that, but I haven't bothered.

      IE being the system's browsers leaves it easy to be accidently opened, methinks.

      But I'm in agreement that if Windows provides a mechanism for marking files as unsafe, it's Safari's fault for not taking advantage of that. Apple can't blame Microsoft of being at fault if they're not
  • On Linux, $PATH generally only includes system directories, like /bin, /sbin, etc -- places only root can write to. Occasionally, it will add ~/bin, which the user can write to -- but which no sane browser would download to by default.

    In the Windows command prompt -- and I bet this behavior is inherited from DOS -- the current directory is included in the path. I'm pretty sure it's implicitly included -- that is, no way to disable it by editing %PATH%.

    My understanding is, the main reason PATH works this way

"Regardless of the legal speed limit, your Buick must be operated at speeds faster than 85 MPH (140kph)." -- 1987 Buick Grand National owners manual.

Working...