[orly] Browser Security: Safari Carpet Bomb - Overclock.net

0xygen · 05-15-08

Quote:

I recently communicated 3 security issues in the Safari browser to Apple.

Apple let me know that they will fix 1 of the issues I reported. I will not discuss the vulnerability Apple has promised to fix until they release the fix because it is a high risk issue affecting Safari on OSX and Windows.

I let Apple know that I’d like to discuss the 2 issues they won’t be fixing with the security community and they let me know they are fine with it.

oreillynet.com

The Hundred Gunner · 05-15-08

Quote:

Originally Posted by From the Article

Before I get to the details, I want to make it extremely clear that the Apple security team has been a pleasure to communicate with. I sent them a couple of emails asking for clarifications, and they responded quickly and courteously every time. I want to publicly acknowledge that I appreciate this very much.

Here are the issues I reported:

1. Safari Carpet Bomb. It is possible for a rogue website to litter the user’s Desktop (Windows) or Downloads directory (~/Downloads/ in OSX). This can happen because the Safari browser cannot be configured to obtain the user’s permission before it downloads a resource. Safari downloads the resource without the user’s consent and places it in a default location (unless changed).

...

2. Sandbox not Applied to Local Resources. This issue is more of a feature set request than a vulnerability. For example, Internet Explorer warns users when a local resource such as an HTML file attempts to invoke client side scripting. I feel this is an important security feature because of user expectations: even the most sophisticated users differentiate between the risk of clicking on an executable they have downloaded (risk perceived to be higher) to clicking on a HTML file they have downloaded (risk perceived to be lower).

Apple’s response was positive:
…we have been investigating the potential for a "safe" mode for local HTML. This is an area that requires a fairly deep investigation to address compatibility issues, and to determine the proper operation. Please understand that when we label this as a security hardening measure, we are not discounting the benefits that this could have.

3. [Undisclosed]. The third issue I reported to Apple is a high risk vulnerability in Safari that can be used to remotely steal local files from the user’s file system. Apple responded positively and let me know that they are actively working to resolve the issue and issue a patch. I will post an update if I hear back from them.

I’d like to thank the Apple security team for their timely responses and for letting me discuss these issues with the security community.

Safari is a really fast browser and supports Firefox's Ad-Block's filter lists. It seems to be so riddled with holes, though... Hopefully they fix this crap.

onlycodered · 05-15-08

Safari is a piece of crap, and that's coming from a Mac user.

RickJS · 05-15-08

Quote:

Originally Posted by onlycodered

Safari is a piece of crap, and that's coming from a Mac user.

Agreed, FF4MAC4EVA.

o.o

**Marin** · 05-15-08

Safari for Mac users is like IE for Windows users. It comes with it, some users use it and others install a different browser like FF and Opera.

nathris · 05-15-08

Quote:

1. Safari Carpet Bomb. It is possible for a rogue website to litter the user’s Desktop (Windows) or Downloads directory (~/Downloads/ in OSX). This can happen because the Safari browser cannot be configured to obtain the user’s permission before it downloads a resource. Safari downloads the resource without the user’s consent and places it in a default location (unless changed).

Apple programming in a nutshell... we don't think you want this so we're just not going to include it. That OSX hasn't been destroyed by hackers is a testament to how little they care about it.

jameskelsey · 05-15-08

Apple has never had a big enough market share for the hackers to go after it,but that's changing and the attacks will come.

Higgins · 05-15-08

I seriously cannot wait for a "blaster.worm" type virus to come to OSX. Not because i want people to get infected but so this false sense of OSX being this secure fortress can finally be ripped to shreds and people can come back to reality.

Is there even an OSX anti-virus?

**Marin** · 05-15-08

Quote:

Originally Posted by Higgins

I seriously cannot wait for a "blaster.worm" type virus to come to OSX. Not because i want people to get infected but so this false sense of OSX being this secure fortress can finally be ripped to shreds and people can come back to reality.

Is there even an OSX anti-virus?

Yes.