PDA

View Full Version : Blended Threat from Combined Attack Using Apple’s Safari on ...


MacBytes
May 31, 2008, 08:04 PM
http://www.macbytes.com/images/bytessig.gif (http://www.macbytes.com)

Category: Microsoft
Link: Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform (http://www.macbytes.com/link.php?sid=20080531210417)
Description:: Microsoft worried about too many people using Safari on Windows.

Posted on MacBytes.com (http://www.macbytes.com)
Approved by Mudbug

walnuts
May 31, 2008, 08:17 PM
Ok, so, please help me with this. I'm probably wrong here, but, the article states the cause of the problem here:

A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user’s machine without prompting, allowing them to be executed.

(emphasis my own)

and of course its suggested fix is:

Restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.

Why not just change the default download location?

iSaint
May 31, 2008, 08:24 PM
I didn't read this, so correct me if I'm wrong here: stop using Safari because it's obviously superior to IE, we're just making stuff up to scare you!?

nigrunze
May 31, 2008, 08:25 PM
Why not just change the default download location?

That would mean not using Internet Explorer and Microsoft doesn't want that. In their perspective, not using Windows Internet Explorer means that all hell would break loose.

winmacguy
May 31, 2008, 08:49 PM
That would mean not using Internet Explorer and Microsoft doesn't want that. In their perspective, not using Windows Internet Explorer means that all hell would break loose.

Got it in ONE!:apple:

pilotgi
May 31, 2008, 09:17 PM
I don't know how to use Windows unless I use Safari. :)

Can I just download files to the folder I created for downloads?

winmacguy
May 31, 2008, 10:24 PM
I don't know how to use Windows unless I use Safari. :)

Can I just download files to the folder I created for downloads?

That would be my thinking.

walnuts
Jun 1, 2008, 06:32 AM
The default download place for Safari on windows is the desktop... is every browser that saves to the desktop vulnerable? Firefox saves to the desktop by default too...what gives here? Is this just a poor description of the security flaw or does everything that saves downloaded files to the desktop vulnerable. If that's the latter's the case, I would think that my OS that can't secure items downloaded to the desktop would have the flaw, and not the software that might put files there.

LeviG
Jun 1, 2008, 06:40 AM
The default download place for Safari on windows is the desktop...
well thats just bloomin stupid to start with, windows isn't designed like os-x, it can't handle lots of junk on the desktop.

Yvan256
Jun 1, 2008, 07:15 AM
There is two problems here. One is on both platforms, one is Windows-related (because of Apple).

The first problem is that Safari allows a website to initiate a download without asking the user. This problem is on both platforms.

See this page (http://www.dhanjani.com/archives/2008/05/safari_carpet_bomb.html) for a screenshot of what might happen when visiting a website that exploits this problem. The downloaded files happen to be on the desktop in this example, but desktop or not, imagine a website filling the hard drives of Safari users.

Don't forget that a 1 byte file still takes 4KB or more on drives, because of the way files are stored (do a "get info" on a small file, you will see something like "Size: 4 KB on disk (400 bytes)"). This means that you only need to send 256 one-byte files to fill up one megabyte of hard drive space. If the files don't download to your desktop you might not even notice it right away. Now, imagine anti-Apple people putting such a script on their websites and you lose a few megabytes of hard drive space for each website visited... Of course it's all files you can delete, but if you're not aware of it, your hard drive free space keeps getting smaller and smaller "for no reason".

Of course this would be an annoyance at best, unless the rate of written files was so high as to completely freeze your computer (think iBook G3 on a cable connection).

The second problem is that on Windows, Safari doesn't tag the files as being "downloaded from the internet / unsafe". I've read that it's in the Microsoft guidelines, Apple simply aren't following them.

clevin
Jun 1, 2008, 09:10 AM
apple breaks windows developing guildline, and create a problem that shouldn't been there at the first place. and fanboys still twisting black and white?

RDF is out of control.:p

Play4keeps
Jun 1, 2008, 02:51 PM
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=89&articleId=9091638&intsrc=hm_topic

check it out

mkrishnan
Jun 1, 2008, 03:23 PM
I don't it's all purely spin and FUD... This for instance:

The first problem is that Safari allows a website to initiate a download without asking the user. This problem is on both platforms.

I find this feature of Safari really irritating (in OS X) -- especially when it's paired with some website that has content for which the server isn't properly configured (i.e. things that should be displayed in the browser with a plugin but which get treated as downloadables instead because of the way they're server identified). Next thing I know I have a stack of 1.pdf or 2.avi etc files sitting in my downloads folder, and if I'm not paying close attention, I may have no idea where they came from or how they came to be there.

As for the tagging of trust levels system in Windows, I think it's a fairly idiotic security system, but if it's the Microsoft guideline, and MSIE tags files to the OS in this way, then other browsers such as Firefox and Safari should follow suit. It in itself doesn't create any new problems that weren't there before, so even if it's a silly measure, it should still be consistently followed.

walnuts
Jun 1, 2008, 05:54 PM
The first problem is that Safari allows a website to initiate a download without asking the user. This problem is on both platforms.

I agree that this is an issue. The way I read Microsoft's security alert was that the issue was solely that files get downloaded to the desktop. The fact that a browser can allow sites to download things without user choice troubles me.Forgive my ignorance above.

As for the tagging of trust levels system in Windows, I think it's a fairly idiotic security system, but if it's the Microsoft guideline, and MSIE tags files to the OS in this way, then other browsers such as Firefox and Safari should follow suit. It in itself doesn't create any new problems that weren't there before, so even if it's a silly measure, it should still be consistently followed.

Doesn't Mac OS X do this as well? I always get warned when I'm opening an app I downloaded. It seems to make sense to me. If I didn't know I was opening an app this would be a great warning.

mkrishnan
Jun 1, 2008, 06:25 PM
Doesn't Mac OS X do this as well? I always get warned when I'm opening an app I downloaded. It seems to make sense to me. If I didn't know I was opening an app this would be a great warning.

Unless I misunderstand it, not exactly.... what Safari does in OS X is examine a file to see if it might contain executable code -- that is, either if it's an executable file itself or if it's an archive containing an executable file. It then warns you in these cases to make sure you want to allow it to be downloaded. After that, any file that you allow on your system is either executable or not.

If I understand this correctly, what Windows does now is to have a file property that specifies whether Windows thinks the file is safe to run, which apparently MSIE can set on a downloaded file as it's being downloaded and written to disk, so that when it's run, the user is warned to make sure they want to run it. The problems I have with this are ...

1) If an application has a safety bit, what sense does it make to allow programs running without escalated privileges (e.g. web browsers, but once you open the door, any other program with user level privileges only) to change that safety bit?

2) The safety bit is set indiscriminately on everything you download, I think, unless maybe it's downloaded from "secure" sources? I don't completely understand this part. But the danger is a "boy who cried wolf" phenomenon -- the only reason you ever really end up with executables on your desktop is cuz you downloaded them with your web browser. If they all give you the same warning, what's the point?

3) If they were to have some kind of secure source system, Windows is a large enough enterprise with enough vendors that, even if third party software houses are able to register, only a small number will become recognized secure sources. First of all this has anticompetition implications. Second, it's unlikely that all the sources that you really actually use would be registered, again meaning that, like (2), you'll get the warning message with enough legitimate software that it will become useless.

If they're going to pursue this strategy, it'd be better if they did something different, like pop up a warning for executing any application whose binary does not exist in the Program Files or whatever it's called folder, regardless of where it came from (hey, you're running software you've never run before, or hey, you're running software that has not previously been installed on the system, ....). That's much safer than having the browser tag files as they come in.

As for what Safari in OS X does, yes, it's pretty useless when you know you're downloading a binary, because all it tells you is what you already knew. The only time it's really useful is when you download something that you think is *not* a binary and you get an executable file -- like a trojan horse. Then you say, whoa, why is Safari warning me about this ... PDF file or whatever ... it shouldn't be executable at all.

Again, I might be misunderstanding it, though.

neonblue2
Jun 2, 2008, 03:55 PM
The carpet-bombing argument has a couple of flaws.

It goes by the assumption that a user won't notice a download window pop up. I always do.
On any browser that asks, millions of confirmation dialogs would pop up. In the Windows world that would mean force quitting the app because doesn't like it when you try to do bypass a newly popped up window. But knowing Windows, the entire computer would probably crash.

nick9191
Jun 2, 2008, 04:07 PM
The thing with Apple is that because they spend so much time coding for a strong, virus free, Unix OS, when it comes to writing applications for Windows, they don't put in all the security features that Windows needs.

Trip.Tucker
Jun 11, 2008, 03:39 PM
apple breaks windows developing guildline, and create a problem that shouldn't been there at the first place. and fanboys still twisting black and white?

RDF is out of control.:p

No, fanboys twist in color now since 1966.