Safari "Carpet Bomb" Attack Code Released 118
snydeq writes "A hacker has posted attack code that exploits critical flaws in the Safari and Internet Explorer Web browsers. The source code can be used to run unauthorized software on a victim's machine, and could be used by criminals in Web-based computer attacks, security experts say. The public example of the attack code allows attackers to litter a victim's desktop with executable files, an attack known as 'carpet bombing.' In combination with bugs in Windows and Internet Explorer, attackers can run unauthorized software on a victim's computer."
Re:Secure from the ground up! (Score:5, Informative)
So the real issue is that Safari can be told to automatically download a file while internet explorer will automatically run a malicious dll from the desktop. actual post and proof-of-concept code here [fc2.com].
seems like a misleading summary to me.
Wrong section, eds! (Score:5, Informative)
Quick Workaround... (Score:5, Informative)
1) Launch IE from a location other than your desktop (e.g. Start Menu, Quick Launch Tray).
2) Go to Program Files\Internet Explorer, Create Shortcut, and then place that shortcut on your desktop. Make sure the "Start In" setting is set to any location other than your Desktop.
Re:Secure from the ground up! (Score:4, Informative)
So the real issue is that Safari can be told to automatically download a file while internet explorer will automatically run a malicious dll from the desktop. actual post and proof-of-concept code here [fc2.com].
seems like a misleading summary to me.
Re:Secure from the ground up! (Score:3, Informative)
Re:Secure from the ground up! (Score:5, Informative)
The 'workarounds' suggested by MS include "Change the download location of content in Safari to a newly created directory". I don't actually know what's going on with this, but it seems like it's IE opening an improperly-named (or maybe there's some bad meta-data that comes along with it?) file from the desktop, no matter how it got there.
Re:Secure from the ground up! (Score:5, Informative)
Basically, on Windows Safari automatically downloads files, in imitation of its behavior on OSX, but whereas on OSX it downloads them to a nice ~/Downloads directory on Windows it downloads them to the desktop. Also, on OSX Safari tags the downloaded file as 'unsafe', but it fails to use the Windows functionality to do the same on Windows. This leaves a whole load of files that you never asked for or wanted lying around on your computer in a state that is one step away from being executed.
This 'attack' allows a malicious person to force Safari to dump thousands of files on your desktop, which in and of itself is not a nice thing, but when coupled with other exploits it can lead to code execution of these files you never wanted in the first place - whether those exploits are patched by the vendor (Microsoft) or not, we both know that a significant portion of desktops are not kept fully up-to-date with security releases.
Re:Wrong section, eds! (Score:4, Informative)
the "bug" is that Safari has the users desktop as the default download directory, and will automatically download files if you go to some websites. This is normal and fine behavior. The problem is that Internet Explorer loads files from the desktop on launch, which means if you craft a malicious library and put it on the desktop Internet Explorer will happily load it.
Microsoft should fix IE to avoid loading files from the Desktop.
Re:Best Solution (Score:3, Informative)
As you say, the article is your friend.
"The Safari bug, originally disclosed on May 15 by security researcher Nitesh Dhanjani, allows attackers to litter a victim's desktop with executable files, an attack known as "carpet bombing.""
Re:Secure from the ground up! (Score:3, Informative)
Re:Dear Apple, Please stop sucking (Score:2, Informative)
Second, this is about a Windows flaw that Safari has not addressed (rather Apple) in its current iteration. Apple's browser can be considered a "patsy" in this... and MS is trying to pass the buck (so to speak.)
Third, the "open safe files after downloading" is old news. Get a new schtick.
And Fourth, grow up. This isn't about Apple's security, it's about Microsoft's... and Apple's inability to prevent "stupid is as stupid does" on a Windows machine. They're good... just not miracle workers.
Re:Secure from the ground up! (Score:4, Informative)
So yes, IE is in fact autoloading executables from the desktop. It's Safari's vulnerability to carpet bombing that sets the stage, but it's IE and Windows that cause the big boom.
There is one (Score:4, Informative)
Re:Wrong section, eds! (Score:5, Informative)
Safari should NOT be auto-dumping files onto the Windows desktop. PERIOD.
There's enough blame to go around everywhere.
Re:Quick Workaround... (Score:3, Informative)
Red herring. It's got nothing to do with "Active Desktop". It's just the way Windows executables typically look for .dll files -- starting with the current directory and then each path listed in the PATH environment var.
In this case the shortcut to IE is launching the program with the user's desktop as current directory. First of all, it shouldn't -- probably it should be one level up from, there, in the user's home directory. Second, MS might want to rethink the way they hunt for .dll files for system-installed apps. Loading them from a user-writable directory is probably a bad idea. Loading them from a location that tends to fill up with random shit is *definitely* a bad idea.
That said, Apple should take initiative here and change the default download directory, especially after the way they hard-sold the Safari installation to so many people to begin with.
Re:This is a longstanding Windows flaw. (Score:3, Informative)
I'd call that a fundamental flaw with the Windows environment itself. It sounds like this "desktop" thing is used as both a temporary scratchpad for miscellaneous data from arbitrary untrusted sources, and as a repository for locally trusted executables. Someone at Microsoft needs to get it straight in their head, and figure out just what this "desktop" thing is for.
When I think of my experience with Unix-type systems, I don't think it has ever occurred to me to put PATH=/tmp in my .bashrc. I think I have done dumb things like PATH=. back in the 1980s when I was young and foolish and didn't know better, though. Personally, I think it's delightful that a bunch of teenage amateurs are trying to create an operating system. So what if they haven't yet learned what everyone else had known for decades? Let's not discourage their creativity with our stodgy pragmatism. Maybe some day it will really pay off. If they really think it all through and work hard, 2009 could be the year of the Windows desktop.
Re:Closest resources first (Score:3, Informative)
And yet this is listed as a Safari flaw?
Come on, how insanely insecure is it to run executable code from the desktop! Hasn't windows had protection on the windows and system32 directories for about 6 billion years now for this very reason? And then they go and make it pull executable code from just about the least secure place on any PC.
From where I'm sitting this is a massively Microsoft problem, but their suggested "fix" is still the easiest solution by far. But its a bandaid to a gaping oversight.
Safari on the mac defaults to
Re:mod parent up (Score:3, Informative)
These files are being loaded as trusted libraries of shared code that likely bypass anti-virus and other such protection apps.
Re:Wrong section, eds! (Score:3, Informative)
Then again, maybe I'm wrong. If you download and install a printer driver, are you warned the driver is unsafe the first time your try to print?
Yup! (Score:5, Informative)
Carpet bombing is still an issue, if for no reason than it is an annoyance.
Re:Wrong section, eds! (Score:4, Informative)
That said, IE is worse here - downloading files without my permission is bad form, but a pre-installed system app loading DLLs from any old place that it finds them, especially one of the most common places to dump downloaded files, is just idiotic.
Shame on all.
Re:Best Solution (Score:3, Informative)