Microsoft Urges Windows Users To Shun Safari

benjymouse writes "The Register has picked up on a recent Microsoft security bulletin which urges Windows users to 'restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.' This controversy comes after Apple has officially refused to promise to do anything about the carpet bombing vulnerability in the Safari browser. Essentially, Apple does not see unsolicited downloads of hundreds or even thousands of executable files to users' desktops as being a security problem." Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you.

Accidentents.

[Vectronic]

"Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you."

With hundreds of files on your desktop, what are the odds you'd hit one when you are just blanking out a selection, or deleting them, or frustratingly smack your mouse for [whatever reason]

Re:Accidentents. --lol

[Vectronic]

Time for bed.

Re:Accidentents. --lol

[DAldredge]

From the linked article "Apple does not feel this is a issue they want to tackle at this time. In my most recent email to Apple, I suggested that they incorporate an option in Safari so the browser can be configured to ask the user before anything is downloaded to the local file system. Apple agreed it was a good suggestion: ...the ability to have a preference to "Ask me before downloading anything" is a good suggestion. We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated. [credit to BK have-it-your-way Rios for suggesting the term "Carpet Bomb" to describe this issue]."

Re:Accidentents. --lol

[recoiledsnake]

Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team.

You mean Apple actually has a HIG team for Windows applications like Quicktime, iTunes and Safari?????

I found this a bit more interesting

[TubeSteak]

I'd like to thank the Apple security team for ... and for letting me discuss these issues with the security community.

::raises hand::
Teacher, may I go to the bathroom?

What if Apple's security team had said no?

Re:Accidentents.

[Anonymous Coward]

It doesn't take hundreds of files. It takes one file.

According to Nate McFeters, Microsoft has a working "one click and the bad guy gets code running on your machine" exploit.

Re:Accidentents.

[dfm3]

With hundreds of files on your desktop, what are the odds you'd hit one when you are just blanking out a selection, or deleting them, or frustratingly smack your mouse for [whatever reason]

Or, even worse, on purpose.

First, imagine how many people would just blindly click on a new desktop icon just to "see what it does".

Second scenario, most Windows users I know keep file extensions off by default, and keep dozens of shortcuts to executables on their desktop among various folders, downloaded files, and other clutter. Now what if the downloaded file were named "safari.cgi" or "iTunes.cgi", but all the user sees is Safari with a generic file icon. I know many people who would think, "hmm, the icon to my internets is messed up" and click it anyway.

Re:Accidentents.

[thegnu]

First, imagine how many people would just blindly click on a new desktop icon just to "see what it does".

Well, if the icon is boobies, then about 49% of the population. If the icon is bunnies, however, I think it's much closer to 51%.

Re:Accidentents.

[Firehed]

What about bunnies with boobies?

Re:Accidentents.

[billcopc]

The world ends.

Re:

[c0ol]

http://www.flickr.com/photos/johnmcnicholas/2199035401/ [flickr.com]

Re:

[TheLink]

You don't have to click on a new desktop icon.

All that needs to happen is:

1) for the download to be called www.google.com (or similar)
2) for the person to open up IE one day.
3) type www.google.com (or similar) into the location bar of IE and press Enter.
4) Screw up and click Open when the prompt appears (you won't be expecting the pop up, so you might press space or enter or something else that causes "click through" ).

I'm sure there are lots of other naughty things people can do.

Re:Accidentents.

[Znork]

Why even bother with executing them? I can imagine a whole host of marketing people thinking this is a great way to obtain prime advertisement real-estate.

Getting an icon on a users desktop is something some companies pay a lot of money for. In fact, the ability to spam any download folder is probably something they regard as worthwhile.

Re:Accidentents.

[recoiledsnake]

Wrong, Apple has been installing Safari on Windows users machine disguised as an update to iTunes/Quicktime. And iTunes has hundreds of millions of users. Even if 5% of them use Safari, it's a pretty big demographic.

Re:Accidentents.

[kitgerrits]

As a Linux user, I have to point out one thing in Microsoft's defense:
Lately, it seems to tag executables that have been downloaded and warns you about it when you try to run them.
Apparently, Safari does not have this mechanism, so users might assume it's a valid local icon.

I still run Firefox, though.

Re:Accidentents.

[MobyDisk]

It's funny that you say that, because on my MacBook Pro it is the exact opposite. Safari does this and Internet Explorer does not.

Under OS X, when you click an installer image downloaded by Safari it says something like "The application 'Whatever' was downloaded from the Internet on {date}. Are you sure this is safe to open?'

I sometimes use IE on Windows (for testing sites I develop) and I've never seen a comparable message from Internet Explorer.

Maybe you are talking about IE on Vista and Safari on Windows?

Re:Accidentents.

[Anonymous Coward]

Wrong. Anytime a browser can be made to download a file without the user agreeing to it it's a problem with the browser. Nice try though.

Re:Accidentents.

[menace3society]

I disagree, having to click in the goddamn "What do you want to do with this file?" dialog every damn time is one of the reasons I hate Windows.

On my Mac, I can option-click any link and it will download the target to my chosen downloads folder; there is also contextual (right-click) menu that gives the option "Download link to Downloads folder" when you click a link so you don't have to be disturbed by those annoying dialogs boxes.

The real issues are 1) there is no way to stop all javascript with a keystroke in case of bombing (I would like to see this on a Mac too, actually) and 2) Windows can run files downloaded directly from the internet.

With Unix, that doesn't happen, because downloaded files (ought to) have their mode masked to zero the execute bit. Executables can be transferred inside tar or dmg files, but then there's an added step that must be gone through to run it.

And fixing issue 2) should include .hta's, .bat's, etc etc etc in addition to .exe's.

Re:Accidentents.

[stewbacca]

I think what he is saying is that OSX has a built in download manager, regardless of browser, so the user indeed DOES have to authorize downloads. If an OSX user gets carpet bombed, it's because they said "ok" at some point. You haven't been dumbed. You should try to be less snarky if you want people to take you more seriously. And try some capital letters while you are at it ;-)

Re:

[E IS mC(Square)]

>>Safari on Mac OS X

And Microsoft is not complaining about OS X here, is it?

Re:Accidentents.

[recoiledsnake]

Safari on Mac OS X doesn't need it - it's built into the Finder itself, so you get the warning regardless of what you used to download the app. I think I have to agree with Apple on this. Flooding your download directory with crap is annoying as hell, and downloads should certainly be made optional for that reason. But it's not a security problem - the security problem is that Windows Explorer doesn't warn the user before running an unknown .exe.

MSDN contains clear instructions on how to mark a executable as unsafe. It's not Windows Explorer's fault that Apple chose to ignore it. Whatever you try to spin it as, the security problem is that Safari allows crapflooding of user folders without user intervention aside from just visiting a webpage. Otherwise Firefox/Opera would have this 'problem' too, not just Safari.

Re:

[SvnLyrBrto]

Apparently, HFS+ does. Because the first time I launch an executable I downloaded from the internet, Finder warns me and gives me the option to abort or continue. It does that wether I downloaded it with Safari or Firefox. And I presume it would so the same for Omniweb or Opera or whatever.

So why, exactly, would I need or want that functionality essentially duplicated in one browser or another, when I already have it in the Finder?

cya,
john

Re:Accidentents.

[x_MeRLiN_x]

When he says "recently", he means 6th August 2004; the release of Windows XP SP2.

Re:

[Quantumstate]

No the danger lies in the fact that apple didn't code safari to mark the file as being downloaded from the internet. Any application could write executables such as an installer from a CD it would just confuse people to tell them that those files were downloaded from the internet when they weren't therefore the browser needs to mark the file to say it is downloaded from the internet but guess what the safari programmers didn't do? Hence it is all apples fault.

Re:

[Sancho]

Both are at fault.

Apple should have followed the design specifications for the platform on which they were developing.

Microsoft should have made the default to not trust the file. Applications such as installers (with admin privileges) could easily mark files as trustworthy. Stealth downloads (which aren't executing untrusted code) could get the file on the desktop, but not modify the metadata.

Re:Accidentents.

[recoiledsnake]

On OS X Leopard, any executable .app that is downloaded from the Internet requires your explicit permission in order to execute.

So it does in Windows(even if downloaded through Firefox). It's just that Safari doesn't mark executables as 'Downloaded from the internet'. This has nothing to do with one OS vs. the other. It's just that Apple is not following proper Windows guidelines while Mozilla etc. do.

Re:Accidentents.

[93 Escort Wagon]

So it does in Windows(even if downloaded through Firefox). It's just that Safari doesn't mark executables as 'Downloaded from the internet'. This has nothing to do with one OS vs. the other. It's just that Apple is not following proper Windows guidelines while Mozilla etc. do.

As a Mac user, I get fed up whenever a company (usually Adobe) doesn't follow "proper procedure" - such as using their own proprietary installer that won't work correctly out of a non-admin account, or software that won't work at all unless you're an admin. It's not just annoying; it's a strike against security.

So if this is realy true - if Microsoft has indicated files should be flagged thus, and provides an API that allows software to do that - then shame on Apple. They want their guidelines followed on their OS; so they should do the same for their Windows software.

Basically it's the Golden Rule.

Re:Accidentents.

[ultranova]

It's stupid for Explorer not be handling this instead of the browser (or at least not in addition to the browser). What if files get on by some other means, like a backdoor in a service (and it's not like that has not been seen before!!).

How the heck is Explorer supposed to know the origin of the data in a file some other program wrote ?

Re:Accidentents.

[Hal_Porter]

This won't give admin rights to the app. UAC to the rescue.

If the Aliens in Independence Day had used Vista instead of OS X then UAC would have stopped the human virus running and they would have been able to complete their conquest of Earth.

Re:Blurry eyes!

[Yvan256]

"Apple generally believes that the goal of the algorithm should be to preserve the design of the typeface as much as possible, even at the cost of a little bit of blurriness.

Microsoft generally believes that the shape of each letter should be hammered into pixel boundaries to prevent blur and improve readability, even at the cost of not being true to the typeface."

http://technicalconclusions.wordpress.com/2007/08/23/subpixel-rendering/ [wordpress.com]

Wow. Just wow.

[yanyan]

The irony level in this situation is simply astounding. Secondary attack can cause execution of said downloaded binaries? What about all that malicious content that Internet Exploiter happily executes for the user with nary a warning or confirmation?

Re:

[Flamora]

While it's true that IE's security isn't much better, they do have a point.

Apple just needs to turn the tables and tell people to shun IE and use Firefox/Opera/what have you, is all.

Re:Wow. Just wow.

[NewbieProgrammerMan]

Apple just needs to turn the tables and tell people to shun IE and use Firefox/Opera/what have you, is all.

Or, maybe, you know, fix their security holes.

Re:Wow. Just wow.

[ozmanjusri]

Or, maybe, you know, fix their security holes.

If Apple won't fix it, why doesn't someone fork the project and produce a version that doesn't have the vulnerability?

Re:Wow. Just wow.

[erikina]

Because they don't give you permission to? And even they did, no one would bother without the source.
I think that anyone who gives a shit, has moved away from proprietary web browsers. (And yes, I'm aware their rendering engine is under GPL as it's based on KHTML or w/e)

Re:Wow. Just wow.

[TheRaven64]

WebKit is LGPL, not GPL. If it were GPL'd, it would not be possible for Safari to be proprietary. You can run Safari with your own version of WebKit relatively easily (and the LGPL requires Apple to allow this), but I don't think the changes you would need to fix this are in the WebKit layer. It's been a while since I looked at the WebKit code, but I seem to recall that it would be possible by wrapping one of the delegates, but that would be a very ugly hack.

Re:

[erikina]

Not mine. http://en.wikipedia.org/wiki/Proprietary_software [wikipedia.org] Safari certainly seems to fit it.

Re:

[NeverVotedBush]

Is Safari open source? I didn't think it was. If it isn't, then there is no way to fork it, is there?

Re:

[Darkness404]

Safari's core (KHTML/WebKit) is open source and has been used in some F/OSS projects, most notably Konqueror.

Re:

[orasio]

Just to clarify the cause effect relationship, that is not clear enough for me in the parent.
KHTML, that is Konqueror's core, is open source, free software, and easily reusable.
That's why Apple forked the project and uses it as a part of Safari.

Re:Wow. Just wow.

[99BottlesOfBeerInMyF]

Just to clarify the cause effect relationship, that is not clear enough for me in the parent. KHTML, that is Konqueror's core, is open source, free software, and easily reusable. That's why Apple forked the project and uses it as a part of Safari.

Just to clarify your clarification. Apple forked KHTML, which was developed by the Konquerer team, and named their fork WebKit, which is also free and open source. Since then, the developers of KHTML have decided to abandon KHTML in favor of WebKit themselves and are integrating WebKit into Konquerer. So Safari and Konqueror's rendering engine is named 'WebKit' not 'KHTML'.

Re:

[cozziewozzie]

I'd rather correct you than mod you down.

The KHTML team has never decided to kill KHTML and go with Webkit. In fact, the KHTML code from the 4.1 branch is the best KHTML ever, and an extremely capable HTML engine.

Webkit HAS been integrated into Qt, and there are (experimental) ways to use Webkit as the Konqueror HTML engine. But KHTML is not abandoned, this is just KDE users having more choice.

Webkit is a fork of KHTML, and some of the bugfixes are ported from Webkit over to KHTML. The two engines are basic

Re:

[Whiney Mac Fanboy]

If Apple won't fix it, why doesn't someone fork the project

Because Safari is not Open Source.

Re:Wow. Just wow.

[dotancohen]

If Apple won't fix it, why doesn't someone fork the project and produce a version that doesn't have the vulnerability?

For the same reason that nobody's forked Windows. It is not open source.

Re:Wow. Just wow.

[JanneM]

Or, maybe, you know, fix their security holes.

It's Apple. By definition anything they make is perfect in any conceivable way. If Safari allows forced downloads of thousands of executables, then it is because all web clients really should, and Apple is the only company with the vision, the foresight, and the polo sweaters to implement it. Just ask any Apple fanboy in your neighbourhood; he'll tell you.

Re:Wow. Just wow.

[Zontar The Mindless]

May I be the first to say:

Whooosh

Such as...?

[Animaether]

A list of actual drive-by vulnerabilities in current Internet Explorer (name-calling went out of vogue when you reached the age of 15, man. You are at least 15, right?) that allow for code execution on the client to substantiate your claim, please.*

Now if you want to point fingers, visit that Dhanjani link and read about the vulnerability he's not disclosing, as a courtesy to Apple; "The third issue I reported to Apple is a high risk vulnerability in Safari that can be used to remotely steal local files from the user's file system [...] it is a high risk issue affecting Safari on OSX and Windows". There hasn't been an update to that in the past 2 weeks, implying that it has not yet been fixed.

The Slashdot headline is pure flamebait and you took it.

Re:

[gmuslera]

Since internet explorer creation were a long, dangerous, ridiculous and at times even funny list of code execution vulnerabilities in internet explorer. How many times Microsoft ordered users to shun Internet Explorer (our Outlook, or IIS or MSSQL, to put an small example) because had such kind of vulnerability being actually exploited?

How many times passed long time before Microsoft acknowledged that were a problem, and then even more time to fix it?

And, maybe more important... what are the odds of Microso

Re:

[recoiledsnake]

Maybe they're worried because Apple is pushing Safari on hundreds of millions of unsuspecting users disguised as a iTunes and Quicktime update?

Re:

[BobMcD]

Parent is absolutely ON TOPIC. Whoever modded that is a dolt.

Re:

[gmuslera]

Isnt like Microsoft never installed anything new and with potential vulnerabilities thru Windows (or other of their products) updates. IE7, Silverlight, Desktop Search, to name a few of the latest cases in a probably long list. And many could be called by now plain malware or spyware, style or not. And if ever one of those pushed products by microsoft had a code execution vulnerability (odds are not exactly low), we would be in the same case as Apple. And then my grandparent comment fits as a glove, again.

A

Re:

[Macthorpe]

Feel free to start listing them now. I'll let you know how many of them still work.

Re:

[Macthorpe]

Considering that link says that it's security flaws that have already been fixed that are being targeted, I don't see how that fits what I was asking you for.

As such, Twitter, I'm still waiting. Have to say, kudos for having the balls to reply to me with the username that you copied from mine. I like how you post at -1 with it - that plan really backfired for you, huh?

Re:Fanboyism in your post is more annoying.

[recoiledsnake]

Sure, it's a really good sandbox... not really. If you have an exploitable plugin installed your still fucked.

Most plugins run inside the sandbox. Flash apparently does not, which is surely lame. But security is all about layers. The sandbox is one more layer that the attacker has to bypass. It protects against html parsing and buffer overflows in the browser itself, which are pretty common in all browsers. Only IE on Vista has this layer protecting users at this point. Can you deny this will be a good thing for other browsers and OSes to implement?

Oh Microsoft...

[Raian +3]

Talk about the stove calling the kettle black.

Re:

[NeverVotedBush]

Surely you jest...

Re:Oh Microsoft...

[Vectronic]

And what, you are trusting (Vista/Server2008 I would assume?) simply because there isnt a list of vulnerabilities that have been exploited that doesnt have an update/fix for it?

Side Note: Im typing this from XP and I have a another computer in the room next to me currently booted into Vista.

Did I say Microsoft is bad? No.

Besides, obviously a vulnerability is not going to be found if its already patched on the system being tested. Again quoting you "Please list some actual 2008 vulnerabilities that were exploited before being patched." But you are neglecting the fact that en masse there are alot of people who dont update/patch their machines every day.

Futhermore, a lot of vulnerabilities are found by third parties and Microsoft is notified by them, not necissarily by microsoft employees themselves.

And finally, because it hasnt been reported, does not mean they do not exist. Assuming something is secure without proof is far worse than assuming its not.

Found by Microsoft, currently unpatched*:
http://secunia.com/advisories/29867/ [secunia.com]

Found by non-Microsoft, currently unpatched*:
http://secunia.com/advisories/29458/ [secunia.com]

* According to them.

Im sure I could find more, but, ive fed the troll enough as it is.

MS says shun Safari?

[DrHackenbush]

Finally, something I we can agree on.

doesn't work?

[v1]

ok I'm the curious type so I made a test on my server, with the provided example.

Since Safari does not know how to render content-type of blah/blah, it will automatically start downloading carpet_bomb.cgi every time it is served.

Not for me? Safari 3.0.4 running on Mac OS X 10.5.2 renders a web page of numerous blank empty boxes. Nothing was placed in any local folder. Is anyone else able to duplicate this?

Re:doesn't work?

[TheRaven64]

I didn't try this specific code, but Safari does have an irritating habit of randomly downloading things instead of displaying them. I have a load of .php files in my downloads directory because I've clicked on things in online svn browsers and it's decided it can't render them. It's not a huge vulnerability, but it is an irritation which could be easily fixed and it's frustrating that they don't.

I really don't understand why Safari on OS X runs with so many privileges. OS X has a fine-grained access control mechanism in the kernel as of 10.5 and I would really like to see Safari configured so it can't write anywhere except your downloads and preferences directories and can't read anywhere other than your preferences by default.

Re:doesn't work?

[nine-times]

That's all this is about? Safari downloads some things instead of displaying them? Is that even a security bug?

If my browser doesn't know how to display it, I think I'd rather it didn't try. Trying seems like it might be even more dangerous. Am I wrong?

Re:doesn't work?

[Dogtanian]

That's all this is about? Safari downloads some things instead of displaying them? Is that even a security bug? If my browser doesn't know how to display it, I think I'd rather it didn't try. Trying seems like it might be even more dangerous. Am I wrong?

I'll give you the benefit of the doubt and assume that you posted this in good faith. However, what you're essentially saying ("it's not perfect, but I'd rather it was done the way it's done now") implies a false dichotomy.

What's stopping the browser from saying "I can't handle this file/etc, but please click here if you wish to save it to your desktop"? In the majority of situations, most people wouldn't bother downloading it anyway.

Re:

[kiddygrinder]

i wish people would stop saying false dichotomy, it makes me feel uncomfortable... a false set of mutually exclusive groups? how does that even work?

Re:doesn't work?

[that this is not und]

Since I voted for George Bush (twice) and Bill Clinton (twice!) I classify MYSELF as a terrorist. I've certainly done enough damage to the country to sit the next election cycle or two out. heheh I need to be careful since whichever lame tool I vote for gets elected....

Re:

[LoudMusic]

Is it your fault if the only options are lame tools? You can't help but vote for one.

Re:doesn't work?

[LuxFX]

Not a security bug? The downloaded files go directly to the desktop.

So, what if a site triggers an automatic download of a file called "My Computer.exe" to an XP computer, using the typical My Computer icon. Will a casual user be able to tell the difference? One click will take them to My Computer, another might install a spam zombie. Now think of a user with 500 extra My Computer icons. Which do they choose?

Re:

[nine-times]

Ah. I see. Thanks for your answer.

I don't think my comment is irrelevant, but rather I wasn't sure what the issue was (which is why I asked). The fact that it doesn't display things that it doesn't know how to handle is valid. Whether it asks you to download or downloads automatically, it seems to me, should be a setting. Either way is valid, IMO, but ideally the user should be able to choose. Now, if you said it was *running* files without asking, it'd be a different issue, but downloading shouldn't

Re:

[Malekin]

Realistically you'd want Safari to be able to read more than just its preferences/cache files. What about the case of adding an attachment in a webmail interface? Or uploading a photo to a photo-sharing site? Or submitting an assignment for school? The file the user is trying to read could exist anywhere the user has read privileges for.

Similarly you could restrict Safari's write privileges to just its preferences, cache files and a downloads folder but this removes much of the functionality of things l

Re:

[Swizec]

I have a load of .php files in my downloads directory because I've clicked on things in online svn browsers and it's decided it can't render them.

And how was it supposed to render them? There's nothing there that's gonna run the php script and serve the contents it provides. At best the browser would get headers that tell it "hey, this is a text file" and the browser would display it as such, but there is such a thing as headers that say "always download this no matter what you think you can do with it".

Now I'm not sure whether that's the case or not, but files in svn repositories were never meant to be parsed by browsers.

Download files?

[Wowsers]

So just how does Safari react when you go to Microsoft's update website?

1, 2, 3 ... SHUN!

[Anonymous Coward]

Wow. Have to admit I'm on Microsoft's side here. Let's see:

1. automatically download browser as an update whether user likes it or not;
2. have the audacity to set the browser as default, again whether the user likes it or not;
3. introduce vulnerability;
4. ...
5. errr, no.

It's not just the vulnerability that hurts, but the compund bullshit caused by Apple's -- rather arrogant -- actions. This reads like something Microsoft would do!

Also, vulnerabilities in Apple software (and this bug affects both Windows and Mac), make all *nix stuff look bad: watch MS shills roll out the 'Microsoft software is only vulnerable because hackers target it' FUD in short order.

Posting as AC due to Apple fanboy-mods. Modding this down doesn't stop it being the truth.

Re:

[Anonymous Coward]

I agree with you. Apple programs seem to have an extraordinary amount of arrogance when it comes to stuff like this ("have iPods act as generic USB devices like many competitor MP3 players do? No thanks, we'd rather obfuscate the file structure just so Windows users can learn how irritating and laggy the iTunes port is!"). Plus, a browser that downloads files when it can't render them does seem like a stupid security hole.

Having said that, I think Microsoft's concern here is a bit dumb - they're basically

Re:

[NeverVotedBush]

Why do Apple's Safari vulnerabilities on both Windows and Mac make all *nix stuff look bad? I think this is one case where fanboy mods or no, the point fails.

All vulnerabilities in Safari do is make Apple look bad. Apple controls their OS and their applications. Linux doesn't come with Safari and yet it is a *nix flavor. Most Apple users probably don't even realize that OSX is Apple's GUI over BSD.

Personally, I'll take Linux over OSX or Windows any day.

Re:1, 2, 3 ... SHUN!

[Spy der Mann]

This reads like something Microsoft would do!

And that's no wonder. Steve Jobs and Bill Gates were cut with the same scissors. Back in the 80's, while Billy kept stealing whatever idea he stumbled upon, Steve Jobs only thought of becoming more powerful and promote a competitive environment inside Apple, even if that destroyed the moral of his employees.

Please do yourselves a favor and watch Pirates of Silicon Valley [imdb.com]. It's an enlightening movie. And yes, Steve did even worse things, but they're too shocking to be mentioned in public.

Re:

[Jesus_666]

Apple software for Windows is shit. Always has been. Apple spends all the polishing time on its own platform.

Secondary attack or not

[poeidon1]

but how can Safari download the files without user consent (and the fact that asking user whether to download the file is a feature request :-O). I haven't seen any other browser behaving like that.

Re:

[Vectronic]

The same way it downloads the content of a webpage without the (direct) consent of the user.

Microsoft

[kardelen133]

Hi all I'm in the uncomfortable position of agreeing with Microsoft on this issue. If a browser (any browser) allows a website to randomly download files without the user's explicit permission, regardless of the location, it is a security issue in my opinion. Having said that, I take issue with Microsoft's security advisory. The only thing they say is: "What causes this threat? A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a userâ(TM)s machine without prompting, allowing them to be executed." OK, but how about telling us the how or why? Since it is a direct contributor which causes the blended threat, I don't think it's asking too much to want to know exactly "how the Windows desktop handles executables" and how that contributes to the threat. http://www.evden-eve-nakliyat.name.tr/ [evden-eve-...at.name.tr]

Good advice

[labmonkey09]

This is a reasonable warning that would be applied as is to any other app. Apple leaving this unpatched is feeding fuel to fire, that started with Quicktime vulnerabilities and the sudden uptick of Mac vulnerabilities over the last few years, that Apple is no more serious or maybe capable about security than any other company.

What's good for the goose...

[10101001 10101001]

Well, let's see:

A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user's machine without prompting, allowing them to be executed.

Oh, I see. So, the auto-download feature doesn't "properly" tag them like IE7 does, so users might accidentally execute a program without being first informed it was downloaded? Gosh. Sounds less like a security vulnerability than MS blowing smoke.

But, wai

Re:

[Quantumstate]

Just because the code cannot be executed directly hardly means it isn't a security problem. Basically you have a file downloaded to the users desktop without the users permission. I could create an executable called My Computer.exe with the my computer icon and that will be downloaded to the desktop without user consent. How is that not a security risk?

hundreds of executables

[johnrpenner]

One hundred rounds does not constitute firepower.
One hit contitutes firepower. (Gen. Merritt Edson, USMC)

Slightly OT: why corps bother with browsers?

[Bazman]

Why does MS and Apple put huge amounts of money into developing browsers when Firefox exists? IE and Safari generate zero revenue for the company since they give the software away, so it can't look too good on the balance sheet.

I can only think that it's some kind of NIH syndrome, or content-control-freakery, or that if they suddenly stopped making a browser and said 'oh flip it, Firefox wins' that confidence in the corporation (and hence share price) would nose dive.

Any other ideas?

prefs

[Beer_Smurf]

You can tell Safari to put downloaded files where ever you want.
So they don't have to be on the desktop

Defaults, man. Defaults!

[nobodyman]

But Safari places them on the desktop by default. This is the key problem, and in fact a good number of security vulnerabilities woudn't be an issue if it weren't for the fact that the majority of users stick with the default settings.

And you can't make the argument that the only people downloading Safari are power users anymore - if you have an iPod, odds are that Apple Update has pushed Safari to your machine.

Re:

[recoiledsnake]

You can tell Safari to put downloaded files where ever you want. So they don't have to be on the desktop

How can I tell Safari to put downloaded files in /dev/null ?

Uhh...

[lilfields]

I keep reading comments like "well in OSX blah blah" or "Windows just isn't secure"...ok that's informative, but it's really beside the point. I'm willing to bet that Apple is not addressing this fix because it's good PR to the uninformed. If the user perceives that it's Windows' fault then they might well go all Mac since they are already using Safari...Anyhow, I think that along with the PR bit, Apple doesn't want to admit that there is a huge gaping hole in their web browser, which raises a question...is Apple ready for a bigger market share? Microsoft may have security holes, but you can almost bet they will be patched in a timely matter. With Apple, from my experiences, it takes quite a while for updates to hit the servers. I don't really see this as controversial at all, Apple needs to patch their product, Microsoft has an obligation to protect their users...I would expect Apple to do the same with IE if Microsoft out right REFUSED to patch it. I know there is a lot of Microsoft hate here on Slashdot...but this is pretty obvious in that it's Apple being the "bad guy" here.

Denial of Service

[Inf0phreak]

It certainly opens the possibility for some "fun" denial of service attacks. How many files do you need on your desktop before explorer.exe croaks? I presume the number is well under 100,000?

Well, also windows to blame

[Vexorian]

It can really be a serious vulnerability, most default windows setups hide the .exe of executable filenames, with this I could easily place a bogus "My computer" icon that executes my favorite rootkit.

Re:

[El_Oscuro]

Oh, the wannabe Mac "Hide file extensions of known file types"? Been annoying me since Windows 95. With the security vulnerabilities this represents, you would have thought M$ would have changed the default by now?

Happy days at Microsoft

[wicka]

I guarantee you someone at Microsoft had to bake cupcakes when they found out they could justifiably classify an Apple product as a security risk.

Re:

[erikina]

Nice way to spin a Safari flaw.

Re:

[zaydana]

That may be so, but even then Apple probably would have been wiser to choose a folder other than the desktop. Its just too easy to accidentally click a file on the desktop, or for some less computer literate user to see a .exe on their desktop and click it, wondering what it is.

You'll notice that on the latest installment of OS X, safari downloads to a Downloads folder, not the desktop.

So if it does this on OS X...

[Animaether]

Supposedly it does this on OS X as well, but the a comment above says it's not doing it, but that as an aside..

If it -does- do this on OS X, then it is called a convenience?

What is the convenience in having a folder automatically stuffed with files, downloaded without your say-so, exactly? Regardless of whether they can then be arbitrarily executed by a second program, or whether the user can execute them without a warning dialog popping up or not, etc. What, in your opinion, is convenient about it?

I find alt+click in Firefox convenient to download a file that I want without clicking on it and then going through the download dialog. I find it even more convenient that Firefox -asks- me if I want to download a given file if some crazy redirect page pointed me to one; gives me the opportunity to say "Hell no!" before the file even ends up on my drive.
But our opinions on convenience may differ.

Re:

[Vectronic]

Its not the quallity of the links (websites) that matter, its the quallity of what is reported at the destination of the URL. I'll swim through a sewer to get my food if I have to.

What do you have aginst The Register? or Blogs? If Slashdot themselves use Journals, and User Postings, is that not a blog of sorts in the first place?

Re:Quality of links

[esme]

some guy's blog

That guy appears to be the one who discovered the vulnerabilities and reported them to Apple.

Do you really think Slashdot shouldn't link to primary sources?

-Esme

Re:pot/kettle

[recoiledsnake]

One other thing that hit me immediately... MS: "Omigod they found a BUG in our competitor's web browser! Because we're very concerned for our users' security, we urge you to stop using that browser immediately! Users should NEVER use a buggy web browser! (unless it's explorer)"

Safari has been sneaked into millions of computers by Apple disguised as a iTunes/Quicktime update. Guess who gets the blame for all the spyware and exploits that get loaded up on Windows by Safari. Hint: You see hundreds of highly moderated comments on Slashdot blaming said entity whenever there's an article about spyware/virues/malware.

Re:

[recoiledsnake]

isn't the main reason for Safari being on Windows is so that developers can test web pages for iPhone compatibility? OTOH, there's the whole thing with Apple Update on Windows pushing Safari at you, so that must no longer be true.

No. It isn't. Look here [jubjubs.net]. And before you say it was an oversight, remember, Jobs goes over every word and picture of his presentations with a zeal bordering on OCD.

Re:first!

[tubapro12]

I've already started exploiting this!!

<?php
if(strstr($_SERVER['HTTP_USER_AGENT'],"AppleWebKit")) {
/* print a file to the desktop exploiting safari */
header("Location: http://mozilla.mirrors.tds.net/pub/mozilla.org/firefox/releases/2.0.0.14/win32/en-US/Firefox%20Setup%202.0.0.14.exe [tds.net]");
} else
if(strstr($_SERVER['HTTP_USER_AGENT'],"MSIE")) {
header("Location: http://getfirefox.com/ [getfirefox.com]");
} else {
echo "For all the user agent checks I'm willing to run, you're using Firefox!";
}
?>

Re:

[99BottlesOfBeerInMyF]

Why bother with another web browser that is not really a viable alternative to IE 7.0 and the upcoming Firefox 3.0?

Safari is a viable alternative, at least according to most all of the reviews of it, such as Arstechnica. Personally, I prefer Firefox on Windows, but I do miss some of the nice features that Safari has, but others have not caught up on. For example, I just resized the text box I'm typing this in to be large enough so I don't have to scroll. I regularly miss that when I'm on Windows or Linux.