Safari "Carpet Bomb" Attack Code Released 118
snydeq writes "A hacker has posted attack code that exploits critical flaws in the Safari and Internet Explorer Web browsers. The source code can be used to run unauthorized software on a victim's machine, and could be used by criminals in Web-based computer attacks, security experts say. The public example of the attack code allows attackers to litter a victim's desktop with executable files, an attack known as 'carpet bombing.' In combination with bugs in Windows and Internet Explorer, attackers can run unauthorized software on a victim's computer."
Best Solution (Score:3, Interesting)
As soon as the attack centers on an Apple product, they'll start moving their ass. Until then, it's "not [their] problem".
Re:Quick Workaround... (Score:3, Interesting)
If you disable active web content on your desktop (thus only allowing
MSFT needs to fix this ASAP (Score:3, Interesting)
Regardless of what the default is in Safari or even Firefox, a user can still change that default to anything they want including the desktop.
As others have pointed out, the downloads folder is a Leopard specific feature used by Safari when running under Leopard and the executable warning thing is also a Leopard feature.
Re:Quick Workaround... (Score:3, Interesting)
Who uses safari for windows and IE? (Score:4, Interesting)
Personally I think the bigger issue is that Safari will auto-download, auto-mark-safe, and auto-run files silently. IE's broken too, but either one of the players involved could render this exploit moot. Let's see who responds first before stoning someone to death.
I still don't see why someone would be browsing around in safari and then open up IE. A regular user's likely to only use his favorite browser and a dev who needs to view the same site in multiple browsers would probably notice that there're a bunch of new .dll files all over the desktop.
Re:Who uses safari for windows and IE? (Score:2, Interesting)
But on my PC, I have mozilla as my default browser, but Picasa and Visual Studio still insist on using IE when it needs to do web stuff. I'm sure I could override that, but I haven't bothered.
IE being the system's browsers leaves it easy to be accidently opened, methinks.
But I'm in agreement that if Windows provides a mechanism for marking files as unsafe, it's Safari's fault for not taking advantage of that. Apple can't blame Microsoft of being at fault if they're not using the security mechanisms that Microsoft has put in place.
Re:It is a safari flaw (Score:2, Interesting)
This issue is about the execution of code WITHOUT user interaction.
You can have an argument about the pros and cons of the Safari Feature somewhere else. This is not the problem here.