Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Urges Windows Users To Shun Safari

CowboyNeal posted more than 6 years ago | from the big-surprise-there dept.

Microsoft 502

benjymouse writes "The Register has picked up on a recent Microsoft security bulletin which urges Windows users to 'restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.' This controversy comes after Apple has officially refused to promise to do anything about the carpet bombing vulnerability in the Safari browser. Essentially, Apple does not see unsolicited downloads of hundreds or even thousands of executable files to users' desktops as being a security problem." Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you.

cancel ×

502 comments

Sorry! There are no comments related to the filter you selected.

first! (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23608941)

p1st fr0st!

Apple users suxX0rs!

Accidentents. (4, Insightful)

Vectronic (1221470) | more than 6 years ago | (#23608951)

"Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you."

With hundreds of files on your desktop, what are the odds you'd hit one when you are just blanking out a selection, or deleting them, or frustratingly smack your mouse for [whatever reason]

Re:Accidentents. --lol (4, Funny)

Vectronic (1221470) | more than 6 years ago | (#23608959)

Time for bed.

Re:Accidentents. (0)

Anonymous Coward | more than 6 years ago | (#23609111)

"With hundreds of files on your desktop, what are the odds you'd hit one when you are just blanking out a selection, or deleting them, or frustratingly smack your mouse for [whatever reason]"

This won't give admin rights to the app. UAC to the rescue.

Re:Accidentents. (4, Interesting)

Anonymous Coward | more than 6 years ago | (#23609261)

It doesn't take hundreds of files. It takes one file.

According to Nate McFeters, Microsoft has a working "one click and the bad guy gets code running on your machine" exploit.

Re:Accidentents. (5, Insightful)

dfm3 (830843) | more than 6 years ago | (#23609303)

With hundreds of files on your desktop, what are the odds you'd hit one when you are just blanking out a selection, or deleting them, or frustratingly smack your mouse for [whatever reason]
Or, even worse, on purpose.

First, imagine how many people would just blindly click on a new desktop icon just to "see what it does".

Second scenario, most Windows users I know keep file extensions off by default, and keep dozens of shortcuts to executables on their desktop among various folders, downloaded files, and other clutter. Now what if the downloaded file were named "safari.cgi" or "iTunes.cgi", but all the user sees is Safari with a generic file icon. I know many people who would think, "hmm, the icon to my internets is messed up" and click it anyway.

Re:Accidentents. (4, Interesting)

Znork (31774) | more than 6 years ago | (#23609329)

Why even bother with executing them? I can imagine a whole host of marketing people thinking this is a great way to obtain prime advertisement real-estate.

Getting an icon on a users desktop is something some companies pay a lot of money for. In fact, the ability to spam any download folder is probably something they regard as worthwhile.

Re:Accidentents. (4, Insightful)

kitgerrits (1034262) | more than 6 years ago | (#23609347)

As a Linux user, I have to point out one thing in Microsoft's defense:
Lately, it seems to tag executables that have been downloaded and warns you about it when you try to run them.
Apparently, Safari does not have this mechanism, so users might assume it's a valid local icon.

I still run Firefox, though.

Wow. Just wow. (3, Interesting)

yanyan (302849) | more than 6 years ago | (#23608957)

The irony level in this situation is simply astounding. Secondary attack can cause execution of said downloaded binaries? What about all that malicious content that Internet Exploiter happily executes for the user with nary a warning or confirmation?

Re:Wow. Just wow. (2, Insightful)

Flamora (877499) | more than 6 years ago | (#23608967)

While it's true that IE's security isn't much better, they do have a point.

Apple just needs to turn the tables and tell people to shun IE and use Firefox/Opera/what have you, is all.

Re:Wow. Just wow. (5, Insightful)

NewbieProgrammerMan (558327) | more than 6 years ago | (#23608987)

Apple just needs to turn the tables and tell people to shun IE and use Firefox/Opera/what have you, is all.
Or, maybe, you know, fix their security holes.

Re:Wow. Just wow. (3, Insightful)

ozmanjusri (601766) | more than 6 years ago | (#23609037)

Or, maybe, you know, fix their security holes.

If Apple won't fix it, why doesn't someone fork the project and produce a version that doesn't have the vulnerability?

Re:Wow. Just wow. (5, Insightful)

erikina (1112587) | more than 6 years ago | (#23609107)

Because they don't give you permission to? And even they did, no one would bother without the source.
I think that anyone who gives a shit, has moved away from proprietary web browsers. (And yes, I'm aware their rendering engine is under GPL as it's based on KHTML or w/e)

Re:Wow. Just wow. (-1, Flamebait)

gb506 (738638) | more than 6 years ago | (#23609145)

I'm curious, what is your definition of a proprietary web browser?

Re:Wow. Just wow. (2, Insightful)

NeverVotedBush (1041088) | more than 6 years ago | (#23609113)

Is Safari open source? I didn't think it was. If it isn't, then there is no way to fork it, is there?

Re:Wow. Just wow. (2, Informative)

Darkness404 (1287218) | more than 6 years ago | (#23609141)

Safari's core (KHTML/WebKit) is open source and has been used in some F/OSS projects, most notably Konqueror.

Re:Wow. Just wow. (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#23609397)

Bollocks is it! Apple take the code, wait forever while they change it, then dump the complete source saying that's their contribution back. Ask the devs, this might as well not be done because they can't pick out the patches as you can with proper open source project and co-operative devs.

Re:Wow. Just wow. (2, Informative)

leothar (896958) | more than 6 years ago | (#23609457)

The browser (Safari) is proprietary. The rendering engine (WebKit) on the other hand is open source with a nice BSD license.

Re:Wow. Just wow. (1)

mobby_6kl (668092) | more than 6 years ago | (#23609405)

> If Apple won't fix it, why doesn't someone fork the project and produce a version that doesn't have the vulnerability?

Even if it was possible to fork Safari and fix the problem (and I'm not sure if it is), Apple would still push their shitty browser onto unsuspecting users [silicon.com] .

Re:Wow. Just wow. (2, Insightful)

Whiney Mac Fanboy (963289) | more than 6 years ago | (#23609433)

If Apple won't fix it, why doesn't someone fork the project

Because Safari is not Open Source.

Re:Wow. Just wow. (0)

Anonymous Coward | more than 6 years ago | (#23609081)

s/Or/And/;

Re:Wow. Just wow. (5, Insightful)

JanneM (7445) | more than 6 years ago | (#23609155)

Or, maybe, you know, fix their security holes.
It's Apple. By definition anything they make is perfect in any conceivable way. If Safari allows forced downloads of thousands of executables, then it is because all web clients really should, and Apple is the only company with the vision, the foresight, and the polo sweaters to implement it. Just ask any Apple fanboy in your neighbourhood; he'll tell you.

Re:Wow. Just wow. (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23609245)

This is straight from an Apple fanboy - lamest defense ever I have seen on /. editorial: "Now while downloading a hundred files to your desktop won't automatically execute them" - wtf??? Its like allowing thousands of thieves in your house, on the assumption that they are not going to rob you?? BRAVO, fanbois!!

Re:Wow. Just wow. (4, Funny)

Zontar The Mindless (9002) | more than 6 years ago | (#23609295)

May I be the first to say:

Whooosh

Re:Wow. Just wow. (1)

NewbieProgrammerMan (558327) | more than 6 years ago | (#23609425)

Or, maybe, you know, fix their security holes.
It's Apple. By definition anything they make is perfect in any conceivable way.
<slaps forehead> Ah, right! I forgot...thanks for reminding me! ;)

Re:Wow. Just wow. (0, Flamebait)

cp.tar (871488) | more than 6 years ago | (#23608969)

Therefore, I should urge Windows users not to use IE after dropping Safari.
You just never know.

Re:Wow. Just wow. (0)

Anonymous Coward | more than 6 years ago | (#23609091)

I urge all Windows or Mac users to now start using Linux, e.g. Ubuntu or Debian. Oh wait ... Nevermind.

Re:Wow. Just wow. (0)

Anonymous Coward | more than 6 years ago | (#23609017)

O RLY? In 2008? Fact: it doesn't.

Such as...? (5, Informative)

Animaether (411575) | more than 6 years ago | (#23609041)

A list of actual drive-by vulnerabilities in current Internet Explorer (name-calling went out of vogue when you reached the age of 15, man. You are at least 15, right?) that allow for code execution on the client to substantiate your claim, please.*

Now if you want to point fingers, visit that Dhanjani link and read about the vulnerability he's not disclosing, as a courtesy to Apple; "The third issue I reported to Apple is a high risk vulnerability in Safari that can be used to remotely steal local files from the user's file system [...] it is a high risk issue affecting Safari on OSX and Windows". There hasn't been an update to that in the past 2 weeks, implying that it has not yet been fixed.

The Slashdot headline is pure flamebait and you took it.

Re:Such as...? (3, Insightful)

gmuslera (3436) | more than 6 years ago | (#23609391)

Since internet explorer creation were a long, dangerous, ridiculous and at times even funny list of code execution vulnerabilities in internet explorer. How many times Microsoft ordered users to shun Internet Explorer (our Outlook, or IIS or MSSQL, to put an small example) because had such kind of vulnerability being actually exploited?

How many times passed long time before Microsoft acknowledged that were a problem, and then even more time to fix it?

And, maybe more important... what are the odds of Microsoft doing exactly that recommendation for IE if Internet Explorer or another of their major products is found tomorrow to have a similar or worse security problem?

Of course, not discussing here if people should stop using Safari till that vulnerability is fixed, or at least, being very aware of what could happen and how to deal with it.

Such as the mysterious second hit. (1, Flamebait)

twitter (104583) | more than 6 years ago | (#23609451)

I could start a list of IE holes but you would be 95 before I finished. The easy place to start is the current article, where M$ claims people can remotely execute things on your computer. If M$ is not good enough a source, there are a variety of AV vendors with lots of good information on line. I think we both have better things to do.

Oh Microsoft... (4, Funny)

Raian +3 (1119035) | more than 6 years ago | (#23608963)

Talk about the stove calling the kettle black.

Re:Oh Microsoft... (0)

Anonymous Coward | more than 6 years ago | (#23609053)

How are Microsoft products insecure in 2008?

Re:Oh Microsoft... (1)

NeverVotedBush (1041088) | more than 6 years ago | (#23609127)

Surely you jest...

Re:Oh Microsoft... (0)

sid0 (1062444) | more than 6 years ago | (#23609175)

I don't. How are they? Please list some actual 2008 vulnerabilities that were exploited before being patched. Spyware, trojans et al are not security issues, if the user initiated them. Also read up about the Security Development Lifecycle sometime.

Re:Oh Microsoft... (0, Redundant)

Vectronic (1221470) | more than 6 years ago | (#23609307)

"Please list some actual 2008 vulnerabilities that were exploited before being patched."

Uh... I'd be willing to bet that at least 50% of vulnerabilities are found by (intentionally, or unintentionally) exploiting them.

Yes most can be found by someone more knowledgeable looking over the code, but many are found by "whoops, dont do that again" or "die muther fucker die!!!"...

Just being picky... you know.. Slashdot...

And Microsoft products are insecure, provided you equate secure as having no vulnerabilities at all and insecure as the opposite. And so is nearly every other piece of (consumer) software out there.

Re:Oh Microsoft... (0)

Anonymous Coward | more than 6 years ago | (#23609319)

Yes... because Microsoft has vulnerabilities is sufficient reason for Apple to not fix their own security issues... :rolleyes:

fox... (1, Troll)

canistel (1103079) | more than 6 years ago | (#23608971)

... said the fox to the hen, "Here, come and sleep in _my_ house instead..."

MS says shun Safari? (5, Funny)

DrHackenbush (1273982) | more than 6 years ago | (#23608995)

Finally, something I we can agree on.

doesn't work? (3, Interesting)

v1 (525388) | more than 6 years ago | (#23608997)

ok I'm the curious type so I made a test on my server, with the provided example.

Since Safari does not know how to render content-type of blah/blah, it will automatically start downloading carpet_bomb.cgi every time it is served.

Not for me? Safari 3.0.4 running on Mac OS X 10.5.2 renders a web page of numerous blank empty boxes. Nothing was placed in any local folder. Is anyone else able to duplicate this?

Re:doesn't work? (3, Interesting)

TheRaven64 (641858) | more than 6 years ago | (#23609015)

I didn't try this specific code, but Safari does have an irritating habit of randomly downloading things instead of displaying them. I have a load of .php files in my downloads directory because I've clicked on things in online svn browsers and it's decided it can't render them. It's not a huge vulnerability, but it is an irritation which could be easily fixed and it's frustrating that they don't.

I really don't understand why Safari on OS X runs with so many privileges. OS X has a fine-grained access control mechanism in the kernel as of 10.5 and I would really like to see Safari configured so it can't write anywhere except your downloads and preferences directories and can't read anywhere other than your preferences by default.

Re:doesn't work? (3, Interesting)

nine-times (778537) | more than 6 years ago | (#23609059)

That's all this is about? Safari downloads some things instead of displaying them? Is that even a security bug?

If my browser doesn't know how to display it, I think I'd rather it didn't try. Trying seems like it might be even more dangerous. Am I wrong?

Re:doesn't work? (3, Insightful)

Dogtanian (588974) | more than 6 years ago | (#23609115)

That's all this is about? Safari downloads some things instead of displaying them? Is that even a security bug? If my browser doesn't know how to display it, I think I'd rather it didn't try. Trying seems like it might be even more dangerous. Am I wrong?
I'll give you the benefit of the doubt and assume that you posted this in good faith. However, what you're essentially saying ("it's not perfect, but I'd rather it was done the way it's done now") implies a false dichotomy.

What's stopping the browser from saying "I can't handle this file/etc, but please click here if you wish to save it to your desktop"? In the majority of situations, most people wouldn't bother downloading it anyway.

Re:doesn't work? (2, Insightful)

kiddygrinder (605598) | more than 6 years ago | (#23609325)

i wish people would stop saying false dichotomy, it makes me feel uncomfortable... a false set of mutually exclusive groups? how does that even work?

Re:doesn't work? (1)

Wrath0fb0b (302444) | more than 6 years ago | (#23609455)

i wish people would stop saying false dichotomy, it makes me feel uncomfortable... a false set of mutually exclusive groups? how does that even work?
In order to be a proper dichotomy, you must partition the elements into two jointly exhaustive, mutually exclusive, groups. Usually when people complain of a false dichotomy they are attacking the jointly exhaustive bit, not the exclusive bit -- i.e. you have divided the set into parts but some elements were left behind.

Yay for classical logic!

Re:doesn't work? (1)

Malekin (1079147) | more than 6 years ago | (#23609103)

Realistically you'd want Safari to be able to read more than just its preferences/cache files. What about the case of adding an attachment in a webmail interface? Or uploading a photo to a photo-sharing site? Or submitting an assignment for school? The file the user is trying to read could exist anywhere the user has read privileges for.

Similarly you could restrict Safari's write privileges to just its preferences, cache files and a downloads folder but this removes much of the functionality of things like "Save Asâ¦", "Save Image Asâ¦", "Export Bookmarksâ¦" etc.

Re:doesn't work? (2, Insightful)

Swizec (978239) | more than 6 years ago | (#23609135)

I have a load of .php files in my downloads directory because I've clicked on things in online svn browsers and it's decided it can't render them.

And how was it supposed to render them? There's nothing there that's gonna run the php script and serve the contents it provides. At best the browser would get headers that tell it "hey, this is a text file" and the browser would display it as such, but there is such a thing as headers that say "always download this no matter what you think you can do with it".

Now I'm not sure whether that's the case or not, but files in svn repositories were never meant to be parsed by browsers.

Re:doesn't work? (0)

Anonymous Coward | more than 6 years ago | (#23609231)

And how was it supposed to render them?
By showing it as a text file?

svn repositories were never meant to be parsed by browsers.
A web svn browser was though.

Re:doesn't work? (0)

Anonymous Coward | more than 6 years ago | (#23609385)

If a file is served as text/plain, it *is* shown as a text file. What do you want Safari to do, ignore the content-type header?

Works here... Link! (1)

appleguru (1030562) | more than 6 years ago | (#23609323)

Works fine here.. you might not have had execute permissions set on your server for the cgi file... Here's an active test of the sample code ("Only" downloads 4 harmless files)

http://appleguru.org/webkit_test/ [appleguru.org]

Re:Works here... Link! (1)

Darkness404 (1287218) | more than 6 years ago | (#23609409)

Honestly, I don't get how this is a major Safari problem, I am sure Firefox can be configured to do the exact same thing, it just so happens that Apple already configured it to. Firefox still opens up 4 windows asking what you want to do with the script.

Download files? (1)

Wowsers (1151731) | more than 6 years ago | (#23609007)

So just how does Safari react when you go to Microsoft's update website?

Quality of links (-1, Flamebait)

bwalling (195998) | more than 6 years ago | (#23609011)

Seems like the quality of linked sites on Slashdot has gone down over the years. These two links are from the Register and some guy's blog.

Re:Quality of links (1)

Vectronic (1221470) | more than 6 years ago | (#23609093)

Its not the quallity of the links (websites) that matter, its the quallity of what is reported at the destination of the URL. I'll swim through a sewer to get my food if I have to.

What do you have aginst The Register? or Blogs? If Slashdot themselves use Journals, and User Postings, is that not a blog of sorts in the first place?

Re:Quality of links (4, Insightful)

esme (17526) | more than 6 years ago | (#23609123)

some guy's blog

That guy appears to be the one who discovered the vulnerabilities and reported them to Apple.

Do you really think Slashdot shouldn't link to primary sources?

-Esme

Re:Quality of links (0)

Anonymous Coward | more than 6 years ago | (#23609435)

Do you really think Slashdot shouldn't link to primary sources?
Yes. Sorry for the abberation.

-The Editors

Re:Quality of links (1)

kitgerrits (1034262) | more than 6 years ago | (#23609327)

And the /. users still don't RTFA...
That 'some guy' was the person that discovered the vulnerability and sent it to Apple.
How much more authoritative do you want it w.r.t. the bug in question?

The Register itself may not profile itself as a NYT-level news site, but they do occasionally have good articles.

pot/kettle (1, Insightful)

v1 (525388) | more than 6 years ago | (#23609013)

One other thing that hit me immediately... MS: "Omigod they found a BUG in our competitor's web browser! Because we're very concerned for our users' security, we urge you to stop using that browser immediately! Users should NEVER use a buggy web browser! (unless it's explorer)"

Safari should require prompting on Windows (1, Informative)

hxnwix (652290) | more than 6 years ago | (#23609019)

Microsoft is saying that Windows is a very different sort of environment. You can't allow convenience on Windows - it's just not secure enough.

Re:Safari should require prompting on Windows (2, Insightful)

erikina (1112587) | more than 6 years ago | (#23609067)

Nice way to spin a Safari flaw.

Re:Safari should require prompting on Windows (2, Informative)

zaydana (729943) | more than 6 years ago | (#23609143)

That may be so, but even then Apple probably would have been wiser to choose a folder other than the desktop. Its just too easy to accidentally click a file on the desktop, or for some less computer literate user to see a .exe on their desktop and click it, wondering what it is.

You'll notice that on the latest installment of OS X, safari downloads to a Downloads folder, not the desktop.

So if it does this on OS X... (3, Insightful)

Animaether (411575) | more than 6 years ago | (#23609159)

Supposedly it does this on OS X as well, but the a comment above says it's not doing it, but that as an aside..

If it -does- do this on OS X, then it is called a convenience?

What is the convenience in having a folder automatically stuffed with files, downloaded without your say-so, exactly? Regardless of whether they can then be arbitrarily executed by a second program, or whether the user can execute them without a warning dialog popping up or not, etc. What, in your opinion, is convenient about it?

I find alt+click in Firefox convenient to download a file that I want without clicking on it and then going through the download dialog. I find it even more convenient that Firefox -asks- me if I want to download a given file if some crazy redirect page pointed me to one; gives me the opportunity to say "Hell no!" before the file even ends up on my drive.
But our opinions on convenience may differ.

Re:So if it does this on OS X... (0)

Anonymous Coward | more than 6 years ago | (#23609251)

Well said. It's pretty hard to imagine how silently downloading a program in the background is a "convenience".

I can see how a lot of people would see a program on their desktop (succulently named of course) and running it to see what it is.

OSX countermeasures (1)

Slur (61510) | more than 6 years ago | (#23609349)

On Mac OS X this isn't really a problem - at least not since Leopard. When things download in Safari it's obvious to the user, and only certain file types are considered safe to open right away, so there's no automatic execution of application bundles or .command files. In Leopard, the first time you try to open or execute a download you get a dialog warning you that the file is an internet download. You can choose to open it anyway, or you can choose to view the file's source web page. If the file resides on a disk image, you continue to get the warning every time you open the file until you check the box indicating that the disk image is safe.

Re:OSX countermeasures (1)

fitten (521191) | more than 6 years ago | (#23609383)

Relying on the user is the path to doom. Sure, it's the user's fault when he/she does something like this but it's still *bad*. The question is... why is Safari downloading things it shouldn't be downloading on *any* OS (OSX or Windows) and putting them *anywhere*, where they are a timebomb waiting to happen when some user clicks on it and not knows what it is (or even giving the files an enticing name like 'latest-WoW-trailer-from-next-expansion-great-video'? (answer: It shouldn't be.)

Re:So if it does this on OS X... (1)

ACMENEWSLLC (940904) | more than 6 years ago | (#23609379)

10.5.3 OS X. I use Firefox, however my default Safari settings are as such;

Automatically download to folder: Desktop -- I've moved mine to Downloads
Open Safe files after downloading: (Includes movies, sounds, disk images, pictures, pdf's) Default is YES.

So not only does it apparently allow automatic downloads to the desktop, but execute them (disk images) as well. But it's not like a PC where these can actually do harm. The disk image would prompt me for my password to make system changes.

I was doing a Google search the other day and got suck in a javascript loop of some website trying to auto download a fake antimalware program. I hit cancel, and it automatically reloaded -- loop. This was firefox, and it was prompting me what to do. I had to end the task from the Dock.

Yea, autodownload needs to be disabled. Doesn't Firefox automatically start a download though - while the prompt for what to do is up? I believe while the prompt is up Firefox is downloading the file in the background to temp.

1, 2, 3 ... SHUN! (5, Insightful)

Anonymous Coward | more than 6 years ago | (#23609031)

Wow. Have to admit I'm on Microsoft's side here. Let's see:

  1. automatically download browser as an update whether user likes it or not;
  2. have the audacity to set the browser as default, again whether the user likes it or not;
  3. introduce vulnerability;
  4. ...
  5. errr, no.

It's not just the vulnerability that hurts, but the compund bullshit caused by Apple's -- rather arrogant -- actions. This reads like something Microsoft would do!

Also, vulnerabilities in Apple software (and this bug affects both Windows and Mac), make all *nix stuff look bad: watch MS shills roll out the 'Microsoft software is only vulnerable because hackers target it' FUD in short order.

Posting as AC due to Apple fanboy-mods. Modding this down doesn't stop it being the truth.

Re:1, 2, 3 ... SHUN! (2, Insightful)

Anonymous Coward | more than 6 years ago | (#23609169)

I agree with you. Apple programs seem to have an extraordinary amount of arrogance when it comes to stuff like this ("have iPods act as generic USB devices like many competitor MP3 players do? No thanks, we'd rather obfuscate the file structure just so Windows users can learn how irritating and laggy the iTunes port is!"). Plus, a browser that downloads files when it can't render them does seem like a stupid security hole.

Having said that, I think Microsoft's concern here is a bit dumb - they're basically saying that some hacker is out there writing code that relies on users to have a secondary hole which is separate from the Safari hole (otherwise MS would have quoted that as their security concern), and this hole is only big enough to allow remote execution of code but not allow file transfer. For this to work, the victim would have to be; running Windows, running Safari, running Program-Which-Allows-Remote-Execution-But-Not-File-Transfer, visiting a site that has the malicious code on it, yet secure enough not to have a simpler attack vector. In venn diagram form, this is 5 different circles, with the miniscule crossover of all 5 being where this attack takes place - it's just not worth the effort to target such a tiny portion of people (better to write a linux/mac OSX virus).

Re:1, 2, 3 ... SHUN! (1)

NeverVotedBush (1041088) | more than 6 years ago | (#23609171)

Why do Apple's Safari vulnerabilities on both Windows and Mac make all *nix stuff look bad? I think this is one case where fanboy mods or no, the point fails.

All vulnerabilities in Safari do is make Apple look bad. Apple controls their OS and their applications. Linux doesn't come with Safari and yet it is a *nix flavor. Most Apple users probably don't even realize that OSX is Apple's GUI over BSD.

Personally, I'll take Linux over OSX or Windows any day.

Re:1, 2, 3 ... SHUN! (2, Insightful)

jeevesbond (1066726) | more than 6 years ago | (#23609365)

Why do Apple's Safari vulnerabilities on both Windows and Mac make all *nix stuff look bad? I think this is one case where fanboy mods or no, the point fails.

Because every time there is a security hole in their competitor's software the Microsoft fanboys (and shills) come out with the "Microsoft isn't any less secure, it's just targeted more because of its market share," line. By itself this is contestible: Web servers are riper targets for Internet based attacks (always on, always connected) and *nix has a clear lead there [securityspace.com] . Also, the privilege escalation methods on *nix are less obnoxious than the Windows equivalent, which is usually switched off as a result. Meaning Windows hasn't got the relevant market share, and is less secure than the alternatives.

So, when Apple do something like this, the MS fanboys roll out FUD about their competitors software being just as buggy as their own (see above). People believing this are less inclined to even look at other software: why waste the effort, when the quality is no better?

I think what the OP is trying to say is that Apple has an effect on all non-Microsoft software, because in many markets anything non-Microsoft is lumped into the "alternatives" category. That's certainly how the Microsoft fanboys and shills will try to spin this anyway.

Re:1, 2, 3 ... SHUN! (0)

Anonymous Coward | more than 6 years ago | (#23609203)

  1. automatically download browser as an update whether user likes it or not;
  2. have the audacity to set the browser as default, again whether the user likes it or not;
  3. introduce vulnerability;
  4. "you are safer on a Mac campaign"
  5. Profit
There, completed it for you.

Re:1, 2, 3 ... SHUN! (4, Interesting)

Spy der Mann (805235) | more than 6 years ago | (#23609259)

This reads like something Microsoft would do!


And that's no wonder. Steve Jobs and Bill Gates were cut with the same scissors. Back in the 80's, while Billy kept stealing whatever idea he stumbled upon, Steve Jobs only thought of becoming more powerful and promote a competitive environment inside Apple, even if that destroyed the moral of his employees.

Please do yourselves a favor and watch Pirates of Silicon Valley [imdb.com] . It's an enlightening movie. And yes, Steve did even worse things, but they're too shocking to be mentioned in public.

Re:1, 2, 3 ... SHUN! (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23609283)

You are sooo right. This kind of stuff, along with recent experiences with Itunes, pushes me firmly into the FOSS camp. Users are finally getting some respect there, the "users are lusers" attitude becoming increasingly relagated to the sidelines, and the changing world many of us anticipated 10 yrs ago is upon us.

Re:1, 2, 3 ... SHUN! (0)

Anonymous Coward | more than 6 years ago | (#23609287)

Nobody who criticises Apple ever gets modded down, if anything most of them are modded +5 insightful.

Which I think is bullshit since all they ever do is mindlessly repeat how stupid Apple fanboys are. Boring! Get some new material!

Re:1, 2, 3 ... SHUN! (1)

S.O.B. (136083) | more than 6 years ago | (#23609387)

As soon as Apple fanboys stop posting as AC then maybe they'll get some respect.

Re:1, 2, 3 ... SHUN! (0)

Anonymous Coward | more than 6 years ago | (#23609331)

Well said. Basically, I would not trust an Apple product on my Windows machine ever. Quicktime was horrible, but just annoying. This thing is a security issue. Apple also have an extra motive of proving how 'insecure' the Windows platform is. They are as greedy bastard as anybody else. But RDF is too strong with the weaklings.

Microsoft has a point (0, Troll)

CosaNostra Pizza Inc (1299163) | more than 6 years ago | (#23609065)

As much as I hate M$ and all it stands for, I agree Safari shouldn't be used. Its bad enough that Apple nags me to install Safari and Itunes on my Windows computer whenever there is a Quicktime Player update.

Re:Microsoft has a point (1)

purpleraison (1042004) | more than 6 years ago | (#23609339)

Heck, I hate the fact that you need to install QuickTime player when you only want to install iTunes.

On my Mac I am fine with that, but on my PC I don't want QuickTime because I will never use it.

creators urge US to disempower corepirate nazis (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23609069)

the lights are coming up all over now. conspiracy theorists are being vindicated. some might choose a tin umbrella to go with their hats. the fairytail is WINDing DOWn now. let your conscience be yOUR guide. you can be more helpful than you might have imagined. there are still some choices. if they do not suit you, consider the likely results of continuing to follow the corepirate nazi hypenosys story LIEn, whereas anything of relevance is replaced almost instantly with pr ?firm? scriptdead mindphuking propaganda or 'celebrity' trivia 'foam'. meanwhile; don't forget to get a little more oxygen on yOUR brain, & look up in the sky from time to time, starting early in the day. there's lots going on up there.

http://news.google.com/?ncl=1216734813&hl=en&topic=n
http://www.nytimes.com/2007/12/31/opinion/31mon1.html?em&ex=1199336400&en=c4b5414371631707&ei=5087%0A
http://www.nytimes.com/2008/05/29/world/29amnesty.html?hp

is it time to get real yet? A LOT of energy is being squandered in attempts to keep US in the dark. in the end (give or take a few 1000 years), the creators will prevail (world without end, etc...), as it has always been. the process of gaining yOUR release from the current hostage situation may not be what you might think it is. butt of course, most of US don't know, or care what a precarious/fatal situation we're in. for example; the insidious attempts by the felonious corepirate nazi execrable to block the suns' light, interfering with a requirement (sunlight) for us to stay healthy/alive. it's likely not good for yOUR health/memories 'else they'd be bragging about it? we're intending for the whoreabully deceptive (they'll do ANYTHING for a bit more monIE/power) felons to give up/fail even further, in attempting to control the 'weather', as well as a # of other things/events.

http://www.google.com/search?hl=en&q=weather+manipulation&btnG=Search
http://video.google.com/videosearch?hl=en&q=video+cloud+spraying

dictator style micro management has never worked (for very long). it's an illness. tie that with life0cidal aggression & softwar gangster style bullying, & what do we have? a greed/fear/ego based recipe for disaster. meanwhile, you can help to stop the bleeding (loss of life & limb);

http://www.cnn.com/2007/POLITICS/12/28/vermont.banning.bush.ap/index.html

the bleeding must be stopped before any healing can begin. jailing a couple of corepirate nazi hired goons would send a clear message to the rest of the world from US. any truthful look at the 'scorecard' would reveal that we are a society in decline/deep doo-doo, despite all of the scriptdead pr ?firm? generated drum beating & flag waving propaganda that we are constantly bombarded with. is it time to get real yet? please consider carefully ALL of yOUR other 'options'. the creators will prevail. as it has always been.

corepirate nazi execrable costs outweigh benefits
(Score:-)mynuts won, the king is a fink)
by ourselves on everyday 24/7

as there are no benefits, just more&more death/debt & disruption. fortunately there's an 'army' of light bringers, coming yOUR way. the little ones/innocents must/will be protected. after the big flash, ALL of yOUR imaginary 'borders' may blur a bit? for each of the creators' innocents harmed in any way, there is a debt that must/will be repaid by you/us, as the perpetrators/minions of unprecedented evile, will not be available. 'vote' with (what's left in) yOUR wallet, & by your behaviors. help bring an end to unprecedented evile's manifestation through yOUR owned felonious corepirate nazi glowbull warmongering execrable. some of US should consider ourselves somewhat fortunate to be among those scheduled to survive after the big flash/implementation of the creators' wwwildly popular planet/population rescue initiative/mandate. it's right in the manual, 'world without end', etc.... as we all ?know?, change is inevitable, & denying/ignoring gravity, logic, morality, etc..., is only possible, on a temporary basis. concern about the course of events that will occur should the life0cidal execrable fail to be intervened upon is in order. 'do not be dismayed' (also from the manual). however, it's ok/recommended, to not attempt to live under/accept, fauxking nazi felon greed/fear/ego based pr ?firm? scriptdead mindphuking hypenosys.

consult with/trust in yOUR creators. providing more than enough of everything for everyone (without any distracting/spiritdead personal gain motives), whilst badtolling unprecedented evile, using an unlimited supply of newclear power, since/until forever. see you there?

"If my people, which are called by my name, shall humble themselves, and pray, and seek my face, and turn from their wicked ways; then will I hear from heaven, and will forgive their sin, and will heal their land."

meanwhile, the life0cidal philistines continue on their path of death, debt, & disruption for most of US. gov. bush denies health care for the little ones;

http://www.cnn.com/2007/POLITICS/10/03/bush.veto/index.html

whilst demanding/extorting billions to paint more targets on the bigger kids;

http://www.cnn.com/2007/POLITICS/12/12/bush.war.funding/index.html

& pretending that it isn't happening here;

http://www.timesonline.co.uk/tol/news/world/us_and_americas/article3086937.ece
all is not lost/forgotten/forgiven

(yOUR elected) president al gore (deciding not to wait for the much anticipated 'lonesome al answers yOUR questions' interview here on /.) continues to attempt to shed some light on yOUR foibles. talk about reverse polarity;

http://www.timesonline.co.uk/tol/news/environment/article3046116.ece

Secondary attack or not (1)

poeidon1 (767457) | more than 6 years ago | (#23609071)

but how can Safari download the files without user consent (and the fact that asking user whether to download the file is a feature request :-O). I haven't seen any other browser behaving like that.

Re:Secondary attack or not (1)

Vectronic (1221470) | more than 6 years ago | (#23609151)

The same way it downloads the content of a webpage without the (direct) consent of the user.

Microsoft (4, Insightful)

kardelen133 (1299169) | more than 6 years ago | (#23609125)

Hi all I'm in the uncomfortable position of agreeing with Microsoft on this issue. If a browser (any browser) allows a website to randomly download files without the user's explicit permission, regardless of the location, it is a security issue in my opinion. Having said that, I take issue with Microsoft's security advisory. The only thing they say is: "What causes this threat? A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a userâ(TM)s machine without prompting, allowing them to be executed." OK, but how about telling us the how or why? Since it is a direct contributor which causes the blended threat, I don't think it's asking too much to want to know exactly "how the Windows desktop handles executables" and how that contributes to the threat. http://www.evden-eve-nakliyat.name.tr/ [evden-eve-...at.name.tr]

Microsoft needs to get their own house in order (2, Insightful)

argent (18001) | more than 6 years ago | (#23609235)

If a browser (any browser) allows a website to randomly download files without the user's explicit permission, regardless of the location, it is a security issue in my opinion.

It's a minor issue compared to a number of others that ALL browsers on Windows have. If Microsoft is serious about security then they need to:

1. Immediately transition away from ActiveX, with as short a timeframe as possible.
2. Replace ShellExecute() with something similar to UNIX's exec(). They already HAVE the code, in the POSIX subsystem.
3. Eliminate "security zones" as a security model - there must be no circumstance in which the location of an object named in a web page automatically grants it privileges.
4. Provide an alternate API for browsers to use to find and run helper applications that is not based on the desktop helper application bindings.

All four of these are far bigger problems than having files downloaded without a prompt. Not only do they all provide paths to direct execution of untrusted code without user interaction, but they have all BEEN used for that purpose hundreds of times over the past decade.

I am not sure it's possible to implement a really secure browser on Windows without completely bypassing all of Microsoft's recommended APIs.

Re:Microsoft needs to get their own house in order (2, Interesting)

Anonymous Coward | more than 6 years ago | (#23609423)

Why should Microsoft transition away from ActiveX? How is ActiveX any more vulnerable than (say) XPCom or the plugin model that every single browser supports? The only thing I can think of is that lots of vendors write ActiveX controls while relatively few write plugins for other browsers. But you CAN write secure ActiveX controls.

ShellExecute is similar to exec(). In this case, exec() would be just as likely to have a problem, since most users have . on their path (if your desktop is the current directory and you have . on your path then an application that calls exec() will execute programs on the desktop).

Re:Microsoft (1)

mini me (132455) | more than 6 years ago | (#23609279)

Pretty much every browser I've ever used downloads files and saves them in a place on the drive known as the cache. Is saving certain filetypes in a different location really that much different?

Re:Microsoft (1)

Darkness404 (1287218) | more than 6 years ago | (#23609431)

But how many people just click around in their cache? I think that this is more of not, "you downloaded some files your computer is compromised" but rather, "some files are on your desktop, you double click on them, and your computer is compromised"

Apple urges Windows users to Shun IE (1, Flamebait)

kurt555gs (309278) | more than 6 years ago | (#23609163)

Microsoft urges users to shun anything that they don't sell.

This is a story?

Re:Apple urges Windows users to Shun IE (1)

fitten (521191) | more than 6 years ago | (#23609343)

Honestly, if the bug is as described (and it looks like it is from other reports), then it is a *good* reason to shun Safari.... it doesn't matter who is saying it. Sometimes, good information *is* given by people you don't like. If you refuse to use good information because you don't like the messenger who delivered it, it only makes you a fool, not cool.

Good advice (2, Interesting)

labmonkey09 (992534) | more than 6 years ago | (#23609193)

This is a reasonable warning that would be applied as is to any other app. Apple leaving this unpatched is feeding fuel to fire, that started with Quicktime vulnerabilities and the sudden uptick of Mac vulnerabilities over the last few years, that Apple is no more serious or maybe capable about security than any other company.

What's good for the goose... (2, Insightful)

10101001 10101001 (732688) | more than 6 years ago | (#23609201)

Well, let's see:

A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user's machine without prompting, allowing them to be executed.

Oh, I see. So, the auto-download feature doesn't "properly" tag them like IE7 does, so users might accidentally execute a program without being first informed it was downloaded? Gosh. Sounds less like a security vulnerability than MS blowing smoke.

But, wait:

An attacker could trick users into visiting a specially crafted Web site that could download content to a user's machine and execute the content locally using the same permissions as the logged-on user.

Oh, well now it's sounding more like it'll be downloaded *and* executed automatically. Of course, if that's the case, half the "security vulnerability" is in Window's automatically executing things. If not, MS is simply lying..unless they have proof that Safari is the one causing said automatic execution.

However you spin it, Safari allowing carpet bombing is an annoying feature (much like pop-unders are an annoying feature). But it's not a security vulnerability. Labeling it as such is bullshit.

Does that mean you should use Safari regardless? Personally, I'd say no. Carpet bombing is too annoying of a feature to tolerate. But, then, I'd imagine Windows has too many annoying features for a lot of Mac users. It'd be just as asinine for Apple to issue a security advisory to shun Windows.

hundreds of executables (3, Insightful)

johnrpenner (40054) | more than 6 years ago | (#23609227)


One hundred rounds does not constitute firepower.
One hit contitutes firepower. (Gen. Merritt Edson, USMC)

Slightly OT: why corps bother with browsers? (3, Interesting)

Bazman (4849) | more than 6 years ago | (#23609257)

Why does MS and Apple put huge amounts of money into developing browsers when Firefox exists? IE and Safari generate zero revenue for the company since they give the software away, so it can't look too good on the balance sheet.

I can only think that it's some kind of NIH syndrome, or content-control-freakery, or that if they suddenly stopped making a browser and said 'oh flip it, Firefox wins' that confidence in the corporation (and hence share price) would nose dive.

Any other ideas?

Re:Slightly OT: why corps bother with browsers? (1)

cowscows (103644) | more than 6 years ago | (#23609413)

Why does firefox exist? They give that away too, that can't look good on a balance sheet.

IE was created well before firefox existed, and was arguably built to destroy netscape. Safari is newer, but I can think of a number of reasons why Apple might have felt it worthwhile. Maybe Apple felt that a cross-platform browser would never take full advantage of some of the features available in OSX. Maybe they felt the upgrade schedule for firefox was too slow. I think you could make a pretty strong argument that creating safari has been a very important part of their success with the iPhone. I don't know if that was the plan all along, or just a fortunate coincidence, but it seems to have worked out well for them.

Re:Slightly OT: why corps bother with browsers? (1)

Chris_Jefferson (581445) | more than 6 years ago | (#23609445)

You wonder why Microsoft makes IE? Well, the fact I personally know of at least 3 companies locked into Windows because they use an IE-only web app probably helps. Also, would you want your OS's connection to the internet (arguably one of the most important things on a modern OS) dictated by another application beyond your control. Also on the Mac, while Firefox is OK, it's certainly possibly to tell it isn't a "proper application", it does lots of things not-quite-right. Certainly not something Apple would want to promote to a top-level application.

prefs (3, Informative)

Beer_Smurf (700116) | more than 6 years ago | (#23609265)

You can tell Safari to put downloaded files where ever you want.
So they don't have to be on the desktop

Re:prefs (2, Insightful)

Anonymous Coward | more than 6 years ago | (#23609453)

That is not the problem here. The problem is that files of an unknown content type are being downloaded without the users' consent.

Browsers are downloading html, swf and image files all the time. That is not at all an issue here. The issue is that an EXE or DLL can be downloaded without the users consent. These files can in turn be launched through a secondary attack.

shouldn't that be .. (1)

rs232 (849320) | more than 6 years ago | (#23609309)

"restrict use of Vista as a GUI until an appropriate update is available from Microsoft"

I actually agree with Microsoft in this case. (1)

MtViewGuy (197597) | more than 6 years ago | (#23609351)

The reasons are simple:

1) The current version of Internet Explorer (7.0) is actually a pretty decent web browser, and works reasonably well for average users.

2) Firefox 3.0, which should arrive some time in June 2008 in the final version, will get plentiful third-party support and the revised memory management has drastically reduced the memory "footprint" of the browser.

Why bother with another web browser that is not really a viable alternative to IE 7.0 and the upcoming Firefox 3.0?

Shun On (1)

fermion (181285) | more than 6 years ago | (#23609395)

Shun off

There, no no one has to worry

Sorry, could not resist.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?