Two years later, Apple Safari still open to 'carpet-bombing'
After more than two years, Apple's Safari browser for Macs remains vulnerable to attacks that allow websites to litter a user's hard drive with thousands of malicious files. The "carpet bomb" vulnerability was publicly disclosed in May 2008 after members of Apple's security team said they didn't consider the quirk a security …
honest gov the websites must have downloaded all that dodgy stuff without m knowing
Because Apple is security through obscurity and must not be able to get malicious stuff from sites because who would want to infect a Mac? I mean jobs himself probably pays off the hackers so they ignore them therefore not tarnishing the shiny Apple image.
Give an Apple-user a choice on whether he wants to download a file? He might think something's broken!
Heh. That is all.
Espionage - hardly the crime it used to be. If you want to tarnish someone's rep internationally, and maybe even issue them a death sentence (to be carried out by lethal injection of a shank in the middle of the prison courtyard), child porn is the angle of attack. No one likes a person who preys on innocent younglings.
Dropping malicious files doesn't necessarily mean executable malware.
This is serious stuff. Safari cannot be trusted, and Apple cannot be trusted to deal with security matters behind closed doors - they are completely ineffective at solving them on their own.
So when the plot have you in front of a judge because your harddisk contains files that are not liked by the current government this week (youtube clips, squid porn, bus timetables that may be of use to a terrorist, etc.), you can say:
"Look, this little flag tells you that it was downloaded from the internet..."
when you try to run an executable the Finder tells you that it's been downloaded from the Interwebs and when, then asks you again if you want to run it, even before you get as far as needing to enter an administrator password. Not that I'm defending the hole that fills your download folder with crap.
A potential malicious website can DOS your Mac by making a script that streams the content of /dev/random on the server to a file and then silently download it to the downloads folder. Before long you'd be wondering why Mac OS X won't let you save your work.
... you could just quit Safari. Downloads aren't handled by a separate app. Quitting Safari will stop any downloading. It'll even tell you it's downloading and check you're sure you want to quit. Most sane people will be asking themselves why Safari is downloading *anything* at this point, and will tell it to do so. Problem solved.
OS X changes the icon of any freshly-downloaded app (and anything else that could be executed in some way) to one with a big, obvious "Stop" sign slapped on it. Try and open it up and up pops a dialog box saying, "You have downloaded this file from the Internet," and EXPLICITLY points out that it may contain malicious content. Again, a sane person with a memory slightly longer than a goldfish would be wondering what the hell this file is, and why it's there in the first place.
Of course, if you're a complete and utter imbecile, you click on the Open button, even though there's probably a voice in your head wondering exactly when you chose to download "AwesumPr0n.app". But there's not much anyone can do about imbeciles.
What a load of drivel.
If IE of FF had this massive whole you would be moaning like hell as to how it doesn't protect you - but as it's Safari on a Mac, it's now the user's problem. Garbage.
So you would be happy to have kiddy pron automatically downloaded to your mac then? - but hey - you can always 'close safari'...and would this be before your family/kids/police were looking through your images.
By your own logic - a 'complete and utter imbecile' is somebody who has no nous about security on their machine, which by definition would be somebody who trusts Safari on a Mac -
'not much anyone can do about imbeciles....' though.
"OS X changes the icon of any freshly-downloaded app (and anything else that could be executed in some way) to one with a big, obvious "Stop" sign slapped on it."
You can't download .apps straight off the web with Safari (or have them dropped into the Downloads folder), they're directories which contain executable, DLL, manifest, and resource files.
Say what you want about how evil Microsoft is, at least they take security seriously these days.
that's right. redmond takes security so seriously they've stopped shipping bug-ridden crapware that never, ever has security holes. or viruses. windows xp and explorer are particularly immune to security violations.
no software vendor will take security seriously until they're made legally responsible for consequential losses and other damages caused by defects in their shoddy products. when a car manufacturer (say) makes a car that has design flaws, they have to pay for those mistakes: put things right, pay compensation, etc, etc. the same should hold for the software industry.
this might explain why billy-bob gates got out when the going was still good.
@AC -
The same mechanism is present in windows too - downloaded exes, zips, etc are flagged and present a 'confirm to run/open' dialog.
Paris, cos she always opens zips
It would appear that we have an apple fan happily abusing Caesar's rigid digit.
Come, come good Sir, do not be shy. Put virtual pen to paper and give us your thoughts. It is always good to at least hear all sides of an argument before ignoring the ideas that don't agree with ones own opinion.
Come on, come on, prove to me it works, give me a link to click on.
I'd be interested in seeing whether or not this is "fixed" on webkit, but not Safari itself.
i guess, I could cobble something together, but I have a life.
Software will become completely unusable if every conceivable security risk has to be checked with the user. I use Safari extensively and have never encountered unrequested downloads. I also hate browsers that ask what I want to do every time I click on something.
Even if an unwanted file is downloaded, it only becomes a security problem if:
1) It's an executable, and...
2) You open it (despite warnings), and...
3) You authorise it to make changes by entering your password.
If a user is that naive, the 'experts' should jut advise them to buy an iPad - but please don't dumb down all computers to this level.
In a country where the presence of certain material on your hard drive is (treated as) a strict liability offence, it IS a huge security problem.
The presence of certain types of files on your computer is evidence enough to ruin your life. Kiddie porn, jihadi documents, animal porn, etc. Try persuading a judge that you didn't mean to download it after just visiting the site.
Next point, you have heard of denial of service attacks? What if I just make a website that acts normally, but puts super large files on your hard-drive. This is why everything designed to run on the web is sandboxed. It is why Java and ActiveX have restrictions about access to the HDD.
Oddly enough, my FF and IE can both perform these checks without being impossible to use. Jobs makes a big deal about the security of Apple (even going out of his way to claiming that the security is better on OSX than elsewhere); then completely ignores gaping security holes. Apple is so full of FUD it is unbelievable.
@John Woods: "the presence of certain material on your hard drive is (treated as) a strict liability offence"
It is also possible that when I next step out my door, there will be a mugger waiting around the corner to attack me. Do I stay inside all the time? Do I request a police escort?
Life is full of awful possibilities. However, you can't lead a normal life barricaded in against every conceivable problem. That kind of thinking is what lead us down the path of cameras everywhere, ID cards, and random searches, etc, etc. You need to draw a line somewhere, i.e. decide what precautions are reasonable.
For myself - both online and out in the world - I'm careful where I go, i.e. I don't go to high-risk areas. I handle personal information with discretion. I have fitted locks and alarms and make use of them. I'm aware of potential problems and I keep my eyes open. That's where I draw the line - I don't have a bodyguard, armoured car, bullet-proof windows, panic room, etc, etc.
For my browser, I know that I will see downloads taking place because the Downloads window will appear. The files can only go to a designated folder that I routinely clean, filing useful information and trashing the rest. The files cannot execute by themselves or cause any other kind of damage without my direct assistance. I use websites I consider safe and reliable. For me, this is enough. I don't want a browser (or OS) where I'm constantly barraged with "are you sure?", "are you really, really sure", "x is happening, "y is doing such-and-such"... and so on.
In other words, I want the freedom to take responsibility for my own actions. And so far, for myself and all other Mac users, this approach has worked flawlessly for the last decade. And for those who have been more scathing in their comments, please come up with some constructive evidence rather than just slanging off everyone you disagree with.
"Next point, you have heard of denial of service attacks? What if I just make a website that acts normally, but puts super large files on your hard-drive"
Well, I'd see the file appear in my downloads window and stop it...
"Apple is so full of FUD it is unbelievable."
"Fear, uncertainty and doubt"? Um, no.
When you can show me a site that automatically starts downloads and somehow takes over my machine then things will be different, until then I know who the fud is...
Really? Is this what Apple users are reduced to: trying to seriously claim that it is not a bad idea to allow your browser free run of your hard drive.
As others have said: the risks are dire here. On the other hand, the degree of "inconvenience" is clearly trivial. A web browser is essentially a scripting engine that allows for random untrusted binaries. It should not be left free to run amok in any respect.
The Apple fanboys should have a better sense of paranoia.
Your browser downloads files to your hard disk all the time. Every item on the webpage is cached - you don't click on an "OK" button for every component of a webpage. Your browser could already download a bunch of illicit pr0n through and IFRAME and you'd be none the wiser.
Why should it make any difference if stuff is downloaded to ~/Downloads?
I can't see what the security issue is here.
With an IFrame, web content is put into a web cache folder and overwritten in a short amount of time, it also limited, generally 200 MB, sometimes more. However when in the "Download" folder, it is never overwritten and isn't constrained to a few megs, so it can easily gobble the entire hard disk.
Also, there are many "experts" that can be called into trail that would point out that things in the download folder are intentional and that those in the cache folder aren't (but can still be incriminating)
"Why should it make any difference if stuff is downloaded to ~/Downloads?"
In any browser, the cache, having a tendency to become rather large incorporates an index of it's contents. The index will include where the file was downloaded from, when, the URL of the parent document (in the case of images and whatnot), probably how many time's the cached file has been displayed and likely some other stuff. All in all, enough evidence to show that the file was stored on the HDD as a result of caching and it wasn't user initiated (or at the very least, it introduces a reasonable doubt).
The downloads folder on the other hand, doesn't have an index. There's virtually no way to show that the download was anything other than user-initiated.
It comes back to the illegal pr0n issue - you can probably argue your way out of a cached file that was only viewed once and never retrieved from the cache again but if the same file was in the downloads folder? You'd better prepare for a cavity search and a 7ft cell mate with a penchant for dropping the soap.
"However when in the "Download" folder, it is never overwritten and isn't constrained to a few megs, so it can easily gobble the entire hard disk."
Unless of course you see a massive file suddenly appear in your downloads window and decide to stop the download...
>The downloads folder on the other hand, doesn't have an index. There's virtually no way to show
>that the download was anything other than user-initiated.
Um no, the files that are downloaded by Safari have the location it was downloaded from put in the More Info section of the Get Info box. If the file is automatically downloaded by an exploit of this vulnerability, it will be clear in the info of the file (as well as showing when the file was last accessed).
This is one of the reasons why I use Chrome on OS X now instead of Safari all the time.
'This is one of the reasons why I use Chrome on OS X now instead of Safari all the time.'
Why? Because you dont trust yourself not to seek out and download a insecure file (which doesn't appear to exist in the wild), to execute it, confirm that you want to run it, and then type in your admin password.....
Are you that stupid?
Proof that you can do whatever you like on a Mac and nothing will happen to you!
This has been around for 2 years and something bad has happened to how many people?
You nerds have fun being all high and mighty. I'm just going carry on with smugness knowing full well people whinging on tech websites makes no difference to users on the ground.
In a criminal case they make a bitwise copy of your disk first.
You can then prove that you haven't accesed (as opposed to changed) the file since it was downloaded - either using the terminal command 'ls -l -u' or 'find -atime ....' or use the finder and click 'get info'.
Regards
Hugh
One of these days I will put my old Cube on the net without a firewall and look how long it takes for s/th bad to happen. In nearly 20 years of macking around, I only caught one virus - and that came from a colleague who wrote an article about it and was quite careless ...
Apparently, nobody cares for us poor apple users.
And we will sleep better knowing there's at least one idiot out there not using Windows, thus being irrelevant to any but the narrowest business interests and out of our luser pool.
About not caring, at least... In all my years of Windows I too only encountered one piece of malware. DOS now, that was a lot of fun. Or not, as your boat may rock. I've yet to meet anything bad on Linux (except ClamAV - busted the OS then shot itself) but that may change as the platform gains more popularity. Or maybe we'll stay forever in Apple-like obscurity. Not that that is a problem, mind you, it might help us feel superior to The Unwashed Masses.
@Crazy operations guy
If the police take you to court, the first thing they will do is a bitwise copy of your hard disk.
You can then call an 'expert' in your defence, to use the unix commands at the terminal
ls -l -u'(unix) or 'find -atime' (unix) or even the finder (explorer equivalent in osx) to show when or if the file has been accessed since it was downloaded. This should be enough to show that the files have never been accessed.
Also, you would expect an expert to know of this problem and (perhaps) to be able to show you had visited the infected site.
Regards
Hugh
OT, but I have on occasion turned off atime when an age old PC is used as a desktop, in order to improve performance...
Is this possible in Mac?
don't use safari and take your fate out of the hands of the CPS/police.
Hmmmm....tough decision.
You can't have this. Caching is one thing, and it can be the basis of prosecutions, but at least the accused will almost certainly have visited the cached site.
This is simple push of any material at all to a hard drive's normal folders.
You cannot allow this on your machine, its insane to allow it.
No, a hidden IFRAME will already happily download anything it wants to your cache. Any site can push content to your hard disk. You certainly don't need to have "visited the site".
Such things can (and do) appear in your cache all the time, Is there really any significant difference if they're in your Downloads folder?
Good grief, this is a complete non-issue.
I've been using Safari for years and never once had a malicious file download itself to my Downloads folder and if I did, it would take all of, ooh I don't know, maybe 5 seconds, before I noticed the Downloads window pop up and tell me it's downloading stuff I don't know about. Even if I didn't notice immediately and quit Safari then next time I bring it up it would tell me all the files I've downloaded recently. The list of downloads doesn't go away until you explicitly clear it. And the files are tagged with metadata telling you which site they were downloaded from and warning you they may be malicious when you first try to open them, even if it's not until much later after the download. If you're worried about someone framing you with a dodgy download (are you also worried about neightbours climbing over the fence into your garden at night, hiding some drugs in your flowerbeds, then giving the police an anonymous tip off??) that same metadata would also confirm that you've never opened the file.
Grow up and start worrying about some of the REAL threats to your privacy and all our civil liberties, not phoney made up threats that have more to do with a few technonerds wantling to feel smugly superior than any actual practical threat.
Does this mean I'm stupid and complacent? Do I think there's NO POSSIBILITY of a serious security flaw in Mac OS X or Safari that could be maliciously exploited and cause me problems in future? No, of course not. Just as it's always possible that the empty house across the street from me will be bought by a violent drug dealer and there'll be a sudden upsurge in knife and gun crime in my neighborhood, I'll carry on being vigilant but I'm certainly not going to lose any sleep over it until and unless it becomes a problem.
If this were IE it would be a 'BIG' issue - but as it's Safari/Mac all the fanbois come out do defend the undefendable once again.
Nobody is saying this is a big threat to your security - but Apple's response to the vulnerability is shameful (unless Apple a correct the Chrome, IE and Ff developers are all wrong).
yeah - right.
there is a vulnerability - get it fixed, or face the accusation that you do not care as much about security as Moz, Google and M$.
Does anyone with a half a brain even touch Safari? I have OSX and Safari is the first thing in the bin, it is an utter piece of cack designed for planks and divs! Firefox, with FlashBlock, AdBlock Plus and NoScript. Paranoia rules!
someone exploits it and does it successfully. It's a glaring security hole, there's no escaping that, which is why some of the more reasoned people have been, instead of arguing that it's not a security issue, arguing that it's not a problem because it doesn't appear to be used anywhere. The problem with this is clear, just because a problem hasn't surfaced yet doesn't mean it isn't a problem, and you can look through bug fixes of things such as buffer overruns (which in reality are pretty trivial) in all OSes. It's quite simple really, if the user clicks a link to a download then download the file, if it's not a direct link or if the user didn't click to initiate it popup a message box asking if you want to save it. How is that difficult or affecting the user experience unless you download loads of files every waking minute?
Once you get a gamechanger, where someone actually uses this as a way of flooding Macs with a multitude of files and finds an easy way of exploiting the security naivety of some Mac users it really will be an issue. Until then, I agree, it's not a problem for anyone, but it should still be fixed.
As to the people who say "I'll just stop the download", the issue isn't one big file just filling up your hard-drive it's the idea that someone could get you to download, automatically, lots and lots of smallish files all at once. With download speeds increasing constantly (and people who splash out on a Mac will be more than willing to pay for super-high-fast-speed broadband), how long would it take you to notice and react to lots of 1MB files being dropped in your downloads folder?
I hadn't realized some people still used safari.
just wow...
Trust MAC heads to make comments like this . .
"It is also possible that when I next step out my door, there will be a mugger waiting around the corner to attack me. Do I stay inside all the time? Do I request a police escort?"
Stick fingers in ear and say la la la la!!
Yes I agree, you have got away with you internet behaviour for a long time on a MAC . . How delightful it must have been too . .
Microsoft were forced into a regular updates pattern in 2000, because there market share reached that point . . They are targeted by everyone and if there is an exploit it will be used and even if you think your on a safe website you cant be too careful etc etc
Apple is now getting gaining some traction . . As the share increases, watch this space . . Extremely simple vulnerabilities like this will not go un-noticed for long!!
Am I wrong?
I use a Linux at home by the way and can see some Merit in using a MAC . . If I am paying I prefer a Microsoft for software and hardware choice, but that is just preference
Lets see if they catch up in the next version of Safari . . I bet they do!
why anyone uses Safari ... it's a bag of crap compared to every other browser, including ALL versions of IE
It's a lot better than the last version of IE that ran on Mac OS X :-)
Mine's the one with the Mac OS X 10.2 CD-ROM in the pocket...
Sign up, sign up for The Register's weekly IT security newsletter - click here
