back to article Apple's carpet-bomb Safari flaw can wreak havoc on Windows

A researcher has created a proof-of-concept site that graphically demonstrates the risk Windows users face when using Apple's Safari browser. Microsoft's security team already warned that a "blended threat" was so serious that Windows users should curtail their use of Safari until a security patch is available. This blog post …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Pot meet Kettle

    Or to put it another way:

    Microsoft meet Apple.

    Now call each other black!

  2. Dafydd Lawrence

    Windows fast fix?

    "Contrast Microsoft's response with that of Apple. The company that foisted Safari on the unwitting masses of Windows users can't be bothered to fix a flaw that clearly puts them at risk."

    That's a bit harsh seeing as the bug that causes IE to open files from the desktop automatically was reported to Microsoft back in 2006!

    The only reason they would be fixing this fast would be to save themselves swimming in a big bucket of hypocrisy.

    Apple could easily put out a security alert saying users of windows should stop using IE until the problem is fixed.

    It's a blended threat, both are to blame.

    Microsoft forced IE on it's customers.

    Apple pretty much forced Safari on it's customers.

    Microsoft have a bug in their browser which they haven't fixed for 2 years.

    Apple have an "insecure feature" in their browser which might or might not be fixed in the next 2 years.

    ....

  3. Steve P
    Jobs Horns

    I always thought the risk was obvious

    1. Name your nefarious app 'My Computer.exe', 'My Desktop.exe', 'Internet Explorer.exe', hell, 'Safari.exe' :)

    2. Give your app the appropriate icon

    3. Rely on users having hidden file name extensions

    4. Profit!

  4. Adam Azarchs

    Re: Windows fast fix?

    "Apple could easily put out a security alert saying users of windows should stop using IE until the problem is fixed."

    Yes, that's fine, as long as apple figures out a way to run windows update without IE...

    As far as the "bug" in IE is concerned, the fact is some people actually use that to enable "active desktop" features. As has been mentioned by others before, this would be far less of an issue if safari set the "this was a downloaded file" flag in the filesystem, so windows wouldn't execute it without throwing up an "This file is unsigned and probably will mess up your computer. Are you sure?" dialog. Granted, autorunning things in a place like the desktop where so many other things live isn't such a great idea, but until Safari started dumping turds onto it, it wasn't a security problem.

  5. Anonymous Coward
    Stop

    Proof of concept?

    More like a real proof on how apple is not ready for the real world. Been secure when all you need to take of is oversize calculator that nobody with a IQ higher then 10 whould never user, but when you deal with real computers in the real world, Apple does not stand a chance. Apple is about smoke and mirrors and that is the only thing they sells. maybe they should stop trying to sell useless shiny plastic boxes they call computer (really they is way better use for a intel procesor). The iPhone seems to catch on good (like someone famous said once: there is a sucker born every minute) so they should concentrate on that and stop trying to make computer (after more then 20 years of failures, one who think they have learned by now)

  6. Anonymous Coward
    Linux

    Someone as to say it, so I might as well

    I love my kde desktop.

    Complicated, but light, like gentoo

    Easy like Ubuntu (and not a lot less light)

    Chose your poison, but mine cost me 0$ and is 100% legal.

  7. Frank Bellavance
    Paris Hilton

    WinUpdate on IE was bad when it was introduced

    This is one I will never personally understand. Who in there right mind said "We want to make updating the system easy, let's put all this powerful capacity in IE. We just won't explain to everyone how to use it to install file everywhere. No, even better, let's tell everyone. " instead of having a relatively simple, but dedicated tool.

    Paris, cause she can't always see the consequences either.

  8. onlinehah
    Stop

    reply

    1.

    Adam Azarchs:

    As has been mentioned by others before, this would be far less of an issue if safari set the "this was a downloaded file" flag in the filesystem, so windows wouldn't execute it without throwing up an "This file is unsigned and probably will mess up your computer. Are you sure?" dialog.

    i say:

    dll loading can't be stopped with such flag

    2.

    Steve P:

    1. Name your nefarious app 'My Computer.exe', 'My Desktop.exe', 'Internet Explorer.exe', hell, 'Safari.exe' :) 2. Give your app the appropriate icon 3. Rely on users having hidden file name extensions 4. Profit!

    i say:

    yeah it's an obvious risk(but not the one covered in ms advisory/news/media). ".lnk" may be better - this file name extension is always hidden! but there is a catch - users get informed about it by the safari downloads list.

  9. onlinehah
    Flame

    whos' fault?

    Adam Azarchs said:

    Granted, autorunning things in a place like the desktop where so many other things live isn't such a great idea, but until Safari started dumping turds onto it, it wasn't a security problem.

    i say:

    many people put weird things(like weird dll file) on desktop - they just won't run them. now windows "help" load them *automatically*.

  10. jai

    IE at fault

    i dunno - to me it sounds like IE is at fault really

    wasn't there the big problem with Outlook automatically executing files and that's why there's so many infected spam-bots in the world?

    and if the IE issue was really reported back in 2006, then you can't really say that a fix this week is a speedy responce

  11. Sebastian
    Stop

    the real question is...

    why would someone use safari and maybe a day later the internet explorer?

    ...

  12. Anonymous Coward
    Linux

    the bug that causes IE to open files from the desktop automatically

    Is that a bug though?

    If Safari let you download a .bashrc from an iframe into your home directory, you'd get a similar level of risk.

    It's poor both ways, Safari should use a temp folder like wot u do everywhere, and windows should load dll's from predictable locations.

    Actually, this should be a heads up for linux that maybe automatically executed files should be buried a bit deeper than the users home dir (or desktop in windows case).

    Tux, cos he knows that the flaws in windows light the path.

  13. Paul
    Jobs Horns

    IE at fault?

    Yes. But I dont see it as a huge fault that IE assumes that something on your PC is ok to run. I can see a use for that, and it should not be a problem if your security is ok. You only get a problem when some fool writes a program that lets files to download without asking you, so you dont know they are there.

  14. Shinobi87
    Coat

    :O

    maybe apple coded it that way, increase the known issues with IE but pretend that safari isn't to blame!

  15. Xander
    Alert

    Incoming!

    <braces for the firefox fanbois>

  16. Anonymous Coward
    Coat

    O RLY?

    >>Granted, autorunning things in a place like the desktop where so many other things live isn't such a great idea, but until Safari started dumping turds onto it, it wasn't a security problem.

    Thanks for your accurate description of Windows' ability to discern between a turd and a bona fide application.

    >>autorunning things .....wasn't.... a security problem.

    Got me laughing so hard i had to reach for the emergency oxygen.

    The brilliant soul who thought it would be a good idea to automatically open anything on your desktop should really be granted a Darwin award, to properly complement the large stack of testimonials from scriptkiddies and commercial malware distributors.

    Fortunately there is not a single user out there who ever inadvertently downloaded any malware attachments, or visited a site that pushed a dialer application, or adware...it's really utterly inconceivable that there could be any file downloaded to your desktop that is not safe for your average Active-Xploit enabled honeybot PC. Or is there?

    Do I hear the rumble of a million zombies disagreeing?

    The whole snafu leaves me ROFL'ing. Apple rightfully don't care: in about 5 seconds, users can set the preference to not automatically download anything, or not automatically open anything. The real fault is with explorer.exe for blindly executing all prisoners ehhrrm programs it finds on the desktop.

    In any case, HUGE kudos to Apple for setting the default preference in Safari to: "Send Windows titsup at the earliest opportunity". It's all for the good of the users! The sooner they are relieved from the burden that is the Windows Desktop Experience, the better.

    Users should be thankful for being offered another great excuse to ditch Windows! It also makes for great pubtime stories as in:

    "I was just goin on this safari thing and waddayaknow in the middle of it I got carpetbombed out of the blue - the entire latitude got so swamped in debris I had to bail out on a leopard to save my hide!" will leave your pub mates gasping at the adventure of it all - and scurrying to buy you another pint.

    And let's not forget the excellent tradition: "Don't get mad, get even" - Internet Explorer on the Mac has a history of trying to mess with system files in order to render your machine unusable.

    Also consider the tribute to Microsoft Internet ¿security? policies! "We love your active desktop feature so much, we designed Safari to take full advantage of it! Poignantly indicating Window's designed insecurity, and possibly rendering a couple of PCs unusable is considerd a collateral benefit."

    Mine's the huge chequered attire with the funky tootlehorn in the left pocket.

  17. Daryl

    Windows users fault

    For a start, if everyone is bashing Apple, why are they using Safari on windows in the first place?

    And secondly, this may be a large problem for windows users, who are constantly at risk from viruses and adware etc etc, but personally, using OSX I've never had a problem with any of this.

    Its blaringly obvious a lot of the time how many sites try to install rubbish on your desktop, when every so often i find "maliciousfile.exe" sitting on my OSX desktop, and thats all it does, because it doesn't work on my operating system.

    Apple and Microsoft's attitude to each other's platforms is mirrored in this case. Apple have little reason to fix an error which affects mainly windows users, much in the same way Micrsoft refuses to adapt key bits of software properly for use on OSX (Messenger.. Office).

    If you have a problem with adware ending up on your windows desktop because of this, don't use an Apple browser.

  18. DrXym

    It's strange

    Apple did a very smart thing by putting OS X over BSD. The user runs without any admin privileges normally. It doesn't protect you against every threat but it's a whole lot better than Microsoft's swiss cheese approach. And Apple has an update downloader on Windows and Mac which can supply patches.

    But in other ways Apple is just as dumb as it always, if not more so. Microsoft has learned the hard way not to let their design group dictate what prompts the user does or does not see for things with security implications. And then there's that updater which is designed for updates, not to abuse users by foisting new (and unsafe) software onto them.

    The Safari folks are bright guys and even contain a few ex-Firefox / Konq devs so they should know all this. Maybe its time they fought back against their overlords and started putting security before usability once again. It's not like their concept of "usability" makes any sense on Windows anyway when they force some Aqua like ui onto users, tossing all accessibility and UI guidelines in the bin on the way.

  19. Tony
    Paris Hilton

    @Dafydd

    "Apple pretty much forced Safari on it's customers".

    And MS customers as well!!

    Wonder what Apple would say if MS dumped IE7 on everyone who downloaded apps for a Mac?

    (PH 'cos no one forces a download on her)

  20. Brian Whittle
    Jobs Horns

    what would any one use Safari On a Windows PC

    There is was ad never be a need for safari on Windows PCs simple as that

    my windows browser history

    IE 5

    opera came to my notice I used that mostly because it is super fast after using IE ,the thing is it did then and still does now, display stuff in a weird way (probably not its fault but sites been written with IE in mind, grrr)

    Firefox came to my notice 99% of sites worked fine with it, not as fast as opera but least it worked better,

    So now its Firefox with a smattering of IE7 when needs must which is not very often

    BTW this was typed on a macbook with firefox which I still prefer because its simple to get all your preferences from a windows pc to the mac without loosing anything (just copy the profile folder to the one on the mac)

  21. Steve
    Stop

    Shock Horror - Apple ignore guidelines

    This is from the same company that fails to comply to Windows Service implementation guidelines (you have seen that "Bonjour" service which unless you google it you think is some poorly written virus) and doesn't seem to understand the concept of end-user accesibility or system wide customisation. Take iTunes - great UI, shame it forces it's own design on the user rather than checking out the system settings for themes.

    Apple are the most ignorant of all cross-platform developers. Their applications mirror the Mac OS X style rather than adopting the locally set theme's and their software ignores every guideline and standard other than the ones required to get it to work on the Windows. Security is an afterthought at best.

    Yeah - IE has it's part to blame. However a browser SHOULD work in a particular way. This issue doesn't touch Opera, Firefox or IE. Why.... because Apple ignored the coding standards from MSDN regarding security.

    At least on Vista this isn't as much of an issue as by default the interactive user will only have standard user rights instead of admin rights. (Unless Safari requires admin rights to run...? Wouldn't suprise me knowing Apple...)

  22. Anonymous Coward
    Coat

    Doesn't work here

    OK Safari downloads without me asking if I want to and dumps it to the desk top. FF pops up a "Where do you want to save this download to" dialogue which is nearly as bad because if I'd got "Do this automatically" set for DLLs then FF would down load it without asking me too. Opera asks me if I want to save it too (and if I'd got the Remember choice and do not ask me again it would have done it without asking me). IE says its blocked it but I guess if security settings were tweaked IE would download it too

    But should ANY website be able to force a download on me .. all the browsers seem to be willing to accept a forced download from a remote site which seems a bit wrong.

  23. Anonymous Coward
    Anonymous Coward

    Privileges...

    Most botnets are there for email, you don't need to be an admin user to send out email, you don't need to be an admin user to open up a port (past 1024) for managing the bot net.

    It doesn't matter that they can only install user services, since that is all they want.

  24. Philip Skinner
    Stop

    Erm

    Is it just me or are people being pretty stupid?

    Whats the problem: Rogue files get downloaded onto a computer.

    Whats the cause: Safari.

    Seems pretty open-shut to me.

  25. Alexis Vallance
    Alert

    So what?

    "Is it just me or are people being pretty stupid?

    Whats the problem: Rogue files get downloaded onto a computer.

    Whats the cause: Safari.

    Seems pretty open-shut to me."

    When I was on Windows in IE it happened every now and again. I don't know what the big deal is. Booby trapped sites have always downloaded malicious .exes on to your machine. The problem is the user running them.

  26. Anonymous Coward
    Boffin

    "IE automatically carries out instructions buried in odd files dropped onto a user's desktop,"

    This is down to the DLL search path always including the current working dir, which is desktop when you're in explorer. It's not just IE, it's inherent to the whole of windows. See the LoadLibrary documentation for more.

    It's also quite like the old "create a file called program.exe in the C:\ root" trick where you fool the path search mechanism.

  27. Ascylto

    Move along

    Something wreaked havoc on Windows.

    Move along ... nothing new here ...

  28. Anonymous Coward
    Paris Hilton

    firefox 3 has lots of bugs too

    yep. been using firefox 3 beta for a while now and ALL the exploits that work 100% fine for safari and IE dont work at all. shall i commit a bug report to Mozilla?

This topic is closed for new posts.

Other stories you might like