• On BNET: 9 ways to make the most of Chrome
advertisementAT&T Tech Support 360
May 15, 2008 2:32 PM PDT

Apple dismisses Safari vulnerability

Posted by Elinor Mills

Safari users are at risk of littering their desktops with malicious software because the browser does not ask for user permission when downloading files in the way that Firefox and Internet Explorer do, a security researcher said Thursday.

In a blog post titled "Safari Carpet Bomb," Nitesh Dhanjani describes how a rogue Web site can easily download resources to the Windows desktop or downloads directory on the Mac.

"Apple does not feel this is an issue they want to tackle at this time," he writes.

An Apple representative told Dhanjani that an "enhancement request" for an "Ask me before downloading anything" preference would be filed with the Safari team. "Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads," the Apple representative wrote in an e-mail to Dhanjani.

That issue, coupled with the fact that Safari doesn't warn users when a local resource, such as an HTML file, attempts to invoke client-side scripting, creates a risky situation for most browser users, Dhanjani said in an interview. "People are starting to expect more from browsers today," he said.

The Apple representative told him that the company has been "investigating the potential for a 'safe' mode for local HTML."

Meanwhile, Apple does plan to fix a high-risk security vulnerability that Dhanjani discovered. It could be used to remotely steal local files from a user's file system.

An Apple spokesman did not return a phone call and e-mail seeking comment.

"Since Safari does not know how to render content-type of blah/blah, it will automatically start downloading carpet_bomb.cgi every time it is served. If you are using Safari in Windows, this is what will happen to your desktop once you visit http://malicious.example.com/," Dhanjani writes in explaining this screenshot.

(Credit: Nitesh Dhanjani)
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 and previously covered search, online advertising, and portals. E-mail Elinor.
Topics:

Apple,

Security

Tags:

Apple,

security,

Safari,

browser

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from News Blog
Navy charters kite-powered cargo ship to deliver equipment
EA Mobile, Eidos Interactive sign agreement
Sprint first to offer HTC Touch Pro
Flipping out: RIM BlackBerry Pearl Flip 8220 debuts
Sprint HTC Touch Diamond outed early
Add a Comment (Log in or register) 16 comments
by Thomas, David May 15, 2008 3:26 PM PDT
Holy smokes. In fact, what ARE you smoking? This is a strange argument indeed. I already know, and expect client-side scripting for many, many reasons. However, I also know that scripting is sand-boxed. Did you EVEN think about what is allowed before your wrote your article, or did you simply make the ill-informed assumption that all client side scripts are bad. I have blast you over the downloads as well, warnings DO popup concerning files that are detected to contain disk images, and executable files. The ONE THING (well a lot more) that users can count on is the lack of nagging, meaningless messages that want to ask you if you want to scratch your butt, when using Apple software. One of the very things Vista is being blasted on is it's overuse of the same idea, that if you nag your users you are making them feel more secure. Well guess what, it's a false sense of security.
Reply to this comment View all 2 replies
by M C May 15, 2008 3:26 PM PDT
Alternate title: "CNet <3 security press releases"

I sure hope CBS installs some journalism.
Reply to this comment
by estie2007 May 15, 2008 3:29 PM PDT
This is why I would never download Safari. It's too immature.
Reply to this comment
by john55440 May 15, 2008 3:48 PM PDT
In addition, Apple didn't bother to put any anti-phishing tools into Safari.

From the folks who brought us the security bugfest QuickTime.
Reply to this comment View reply
by ittesi259 May 15, 2008 3:53 PM PDT
Even though I'm a Mac user, this is another example of why I use FireFox. On the PC side I use it too. And anyone who follows a site like macfixit.com or other Mac troubleshooting sites and has the objectivity to think about it, would see that Safari ranks up there in reasons for Mac headaches and stuff not working. My advice is not use it period.
Reply to this comment View reply
by helroth May 15, 2008 5:51 PM PDT
"it's instills, not installs you Dumbkopf."

It's dummkopf, not dumbkopf, you moron.
Reply to this comment
by curiousgeorge1961 May 15, 2008 11:04 PM PDT
go to safari preferences--unclick "open safe files after downloading"--so you get to decide what to open or not--also get the warning "files so and so contains an application, do you want to keep downloading it?' I think that's plenty of security
Reply to this comment
by JonB. May 16, 2008 8:35 AM PDT
At some point the user has to accept responsibility for their action or inaction, and even maybe learn the software they're using;.
Reply to this comment
by htoole318 May 16, 2008 8:36 AM PDT
Apple is a joke, the last hacker convention, they tried to break into vista, mac, and linux. No one even tried to get into linux, mac was broken very quickly and vista was only cracked when the permissions were turned down and even then, it was an adobe exploit that did it. Apple refuses to admit they are NOT a secure system, hackers just have ignored apples in the past due to an only 8% market share. Macs are nice systems, but c'mon, don't go around braggin about security and then call the above not a security issue...........
Reply to this comment
by ZiggyBop May 16, 2008 1:10 PM PDT
Hey tool. Think about it. The Safari hack you mentioned was done in under 2 minutes by directing Safari to a pre-convention established website. The hacker discovered the exploit and crafted a website prior to the timer starting at the contest.

If this had been a Vista exploit, the hacker could have sold it for more than the convention prize. Why show it off at a convention?

As Apple quickly plugged the hole, as they usually and easily do, there's no market for these hacks. There's no one making money off breaking into Macs, except hackers winning contests at conventions.

There's still no reason for most users to run resource hogging anti-malware. The only reason to guard against malware on a Mac is to prevent passing windows malware via email in a mixed Mac/PC environment.
Reply to this comment
by amandachuck May 17, 2008 5:48 AM PDT
Isn't that the truth, Ziggy. I've never had a virus or worm that caused any problems on my Macs in 17 years of use. I did have a virus once in the early 90s, but it was benign. Can't say the same for Windows use over the years. If it's a false sense of security, I'm happy so far. And I backup my stuff.

The exploit in question can't run anything, it can only place files on your computer. I don't tend to navigate to suspicious/malicious websites, but if someone tried to pull that, I can just throw away the offending files and be done with it. I'd rather that than to be constantly prompted as to whether the link I just clicked on to download a file is really a real link. I can take care of myself, Dhanjani. Keep looking out for the real holes like you have been, and leave the features alone?
Reply to this comment
by l-bot May 19, 2008 8:32 AM PDT
yeah apple! as a long time apple users, i keep hoping that apple will refocus on producing solid, technology and well designed programs. the company has become focused on being a taste-maker for its devoted followers, and i would rather buy hardware from a company focused on hardware, and get software from a company devoted to software... which leaves apple sadly out of my future game plan. note: i am eagerly awaiting the arrival of my lenovo tablet, and the so long apple.
Reply to this comment
Powered by Jive Software
advertisement
Resource center from News.com sponsors
You Need The Speed of Norton 2009
Introducing Norton Internet Security™2009

Click Here!
With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

Click Here!
The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

About News Blog

Recent posts on technology, trends, and more.

Add this feed to your online news reader

News Blog topics

Featured blogs

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Best hybrid cars
Cell phones
Dell
GPS
CNET sites
CNET TV
Downloads
News
Reviews
Shopper.com
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET