Two years later, Apple still won't fix Safari hole

The attack vulnerability was fixed for Safari on Windows, but not on Mac OS X

Two years after fixing a security bug in the Windows version of its Safari browser, Apple apparently has decided that Mac users can go without a fix.

Apple was initially unimpressed by Nitesh Dhanjani's work developing what's known as a "carpet bomb" attack, the security researcher said in an interview Monday. "I told Apple about it two years ago, and they responded back, saying it was more of an annoyance than anything else."

That turned out to be the wrong assessment. Soon after Dhanjani went public with the flaw in May 2008, another security researcher showed how carpet bombing could be combined with another Windows attack to run unauthorized software on a Windows PC. Apple then shipped a fix for Safari on Windows, but not for Safari on Mac OS X.

Nobody has shown how to do this on the Mac OS X version of Safari, but Dhanjani still thinks Apple should fix the issue on both platforms.

In a carpet bomb attack, the victim visits a malicious Web site, which then starts downloading unauthorized files to the victim's computer without any sort of approval.

"[W]hile most sane Web browsers warn the end user and ask for explicit permission before saving a file locally, Safari goes ahead and saves the file into the default download location without asking the user," he said in a blog posting, "even if hundreds of files are served up by the malicious website simultaneously."

Without conducting another attack, hackers still have no way to run the files on the victim's computer, but these unauthorized downloads still represent a security risk, Dhanjani said. "In this day and age ... the site shouldn't be able to drop anything it wants into my downloads folder."

Not everyone agrees, however. Noted Apple hacker Charlie Miller said that Dhanjani's bug is not serious because there is no second Mac OS X bug that causes downloaded files to be executed. "So basically, a Web site can start to download a bunch of files to your Downloads directory. This isn't an ideal situation, but then again, I don't see a lot of harm that comes from it," he said in an e-mail interview. "Especially, if the alternative is for the browser to nag me every time I want to download something."

Dhanjani believes Apple hasn't fixed the issue because it might annoy Mac users. "They're going after usability," he said. "Apple wants to make everything so seamless that they don't want the user to have to go through this extra process."

Apple did not immediately respond to a request for comment on this story. The company typically does not comment on security issues.

In a May 2008 e-mail message to Dhanjani, viewed by the IDG News Service, Apple's security team said it would consider adding an "Ask me before downloading anything" preference to Safari. "This will require a review with the Human Interface team," Apple told the researcher. "We want to set your expectations that this could take quite a while, if it ever gets incorporated."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags web browsersApplesecuritysafari

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?