Two years later, Apple still won't fix Safari hole

The attack vulnerability was fixed for Safari on Windows, but not on Mac OS X

Two years after fixing a security bug in the Windows version of its Safari browser, Apple apparently has decided that Mac users can go without a fix.

Apple was initially unimpressed by Nitesh Dhanjani's work developing what's known as a "carpet bomb" attack, the security researcher said in an interview Monday. "I told Apple about it two years ago, and they responded back, saying it was more of an annoyance than anything else."

That turned out to be the wrong assessment. Soon after Dhanjani went public with the flaw in May 2008, another security researcher showed how carpet bombing could be combined with another Windows attack to run unauthorized software on a Windows PC. Apple then shipped a fix for Safari on Windows, but not for Safari on Mac OS X.

Nobody has shown how to do this on the Mac OS X version of Safari, but Dhanjani still thinks Apple should fix the issue on both platforms.

In a carpet bomb attack, the victim visits a malicious Web site, which then starts downloading unauthorized files to the victim's computer without any sort of approval.

"[W]hile most sane Web browsers warn the end user and ask for explicit permission before saving a file locally, Safari goes ahead and saves the file into the default download location without asking the user," he said in a blog posting, "even if hundreds of files are served up by the malicious website simultaneously."

Without conducting another attack, hackers still have no way to run the files on the victim's computer, but these unauthorized downloads still represent a security risk, Dhanjani said. "In this day and age ... the site shouldn't be able to drop anything it wants into my downloads folder."

Not everyone agrees, however. Noted Apple hacker Charlie Miller said that Dhanjani's bug is not serious because there is no second Mac OS X bug that causes downloaded files to be executed. "So basically, a Web site can start to download a bunch of files to your Downloads directory. This isn't an ideal situation, but then again, I don't see a lot of harm that comes from it," he said in an e-mail interview. "Especially, if the alternative is for the browser to nag me every time I want to download something."

Dhanjani believes Apple hasn't fixed the issue because it might annoy Mac users. "They're going after usability," he said. "Apple wants to make everything so seamless that they don't want the user to have to go through this extra process."

Apple did not immediately respond to a request for comment on this story. The company typically does not comment on security issues.

In a May 2008 e-mail message to Dhanjani, viewed by the IDG News Service, Apple's security team said it would consider adding an "Ask me before downloading anything" preference to Safari. "This will require a review with the Human Interface team," Apple told the researcher. "We want to set your expectations that this could take quite a while, if it ever gets incorporated."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Applesafariweb browsers

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?