Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Safari "Carpet Bomb" Attack Code Released

timothy posted more than 6 years ago | from the nogoodniks dept.

Security 118

snydeq writes "A hacker has posted attack code that exploits critical flaws in the Safari and Internet Explorer Web browsers. The source code can be used to run unauthorized software on a victim's machine, and could be used by criminals in Web-based computer attacks, security experts say. The public example of the attack code allows attackers to litter a victim's desktop with executable files, an attack known as 'carpet bombing.' In combination with bugs in Windows and Internet Explorer, attackers can run unauthorized software on a victim's computer."

cancel ×

118 comments

Sorry! There are no comments related to the filter you selected.

Secure from the ground up! (0, Flamebait)

HerculesMO (693085) | more than 6 years ago | (#23752627)

Oh wait..

Re:Secure from the ground up! (5, Informative)

spud603 (832173) | more than 6 years ago | (#23752733)

RTFA. Actually, it looks like this is a windows problem. Safari automatically downloads a file to the desktop. Then when you start Internet Explorer it runs the file on your desktop and there is the problem.
So the real issue is that Safari can be told to automatically download a file while internet explorer will automatically run a malicious dll from the desktop. actual post and proof-of-concept code here [fc2.com] .
seems like a misleading summary to me.

Re:Secure from the ground up! (3, Informative)

Colonel Korn (1258968) | more than 6 years ago | (#23752893)

RTFA. Actually, it looks like this is a windows problem. Safari automatically downloads a file to the desktop. Then when you start Internet Explorer it runs the file on your desktop and there is the problem.
So the real issue is that Safari can be told to automatically download a file while internet explorer will automatically run a malicious dll from the desktop. actual post and proof-of-concept code here [fc2.com] .
seems like a misleading summary to me.
IE won't run anything "automatically." It sounds like the problem is that Safari both autodownloads to the desktop and then tells IE to open that file on its next load.

Re:Secure from the ground up! (3, Informative)

bluelip (123578) | more than 6 years ago | (#23753003)

IE will load its DLLs automatically. If the current PATH contains the DLL, IE will use that version instead of the system version.

Re:Secure from the ground up! (4, Informative)

spud603 (832173) | more than 6 years ago | (#23753039)

from TFA:

The problem originated from an error that Windows Internet Explorer will load some program library files(DLL) from user's Desktop instead of its own library file folder(usually C:\WINDOWS\SYSTEM32). Apple's Safari for Windows downloads and saves requested file to user's Desktop by default - this default behavior itself does not constitute a mistake.

The 'workarounds' suggested by MS include "Change the download location of content in Safari to a newly created directory". I don't actually know what's going on with this, but it seems like it's IE opening an improperly-named (or maybe there's some bad meta-data that comes along with it?) file from the desktop, no matter how it got there.

Closest resources first (1)

RingDev (879105) | more than 6 years ago | (#23753911)

Sounds like a scope issue. Microsoft apps are designed to look for resources/references closer first, then further as needed.

For example, if IE needs to use mm.dll it will first look in the working folder, if it doesn't find it there, if will check the system's path variable and see if it can find the library in any of those folders.

In this specific case, if you are running Safari, it can auto download a new file, say, 'mm.dll' to your desktop. Safari doesn't care about it, BUT, the next time you start IE from the desktop (a shortcut on the desk top, not the quick launch or start menu), it treats the desktop folder as the working folder, and seeing that nice and shiny new mm.dll in it's working folder it doesn't bother to check the system's path variable to pull the real mm.dll out of the system32 folder.

At least, that would be my assumption of how this is happening.

-Rick

Re:Closest resources first (3, Informative)

deke_kun (695166) | more than 6 years ago | (#23756007)

This is exactly what is happening.

And yet this is listed as a Safari flaw?

Come on, how insanely insecure is it to run executable code from the desktop! Hasn't windows had protection on the windows and system32 directories for about 6 billion years now for this very reason? And then they go and make it pull executable code from just about the least secure place on any PC.

From where I'm sitting this is a massively Microsoft problem, but their suggested "fix" is still the easiest solution by far. But its a bandaid to a gaping oversight.

Safari on the mac defaults to /Users/user/Downloads. Wouldn't be hard to change WinSafari to do the same, but it would almost be an admission of fault to all the IE fanboys.

Re:Closest resources first (2, Insightful)

clang_jangle (975789) | more than 6 years ago | (#23758551)

But it is a Safari flaw. If I wrote a browser and released it for multiple OSs I'd consider it my responsibility to eliminate all possible security breaches individually for each version. Though I am an Apple user and really dislike MS, it seems to me that Apple simply didn't finish the job on their windows version of Safari. True, windows is a real PITA to port software to, with all the poor security choices MS has made -- but a job worth doing is a job worth doing properly. Users of WinSafari have a right to be upset about this, and Apple should fix it straight away. After all, no one's forcing them to code for windows.

It is a safari flaw (1)

Yaur (1069446) | more than 6 years ago | (#23760967)

Safari shouldn't be downloading files without prompting the user. In this case it is a dll... but from what I understand it could just as easily be an trojan named something like "My Computer.exe".

Re:Secure from the ground up! (3, Informative)

FatMacDaddy (878246) | more than 6 years ago | (#23753827)

You know, this is pretty clearly explained in the article. To quote: "Microsoft's advisory says that the vulnerability has to do with the way Windows handles desktop executables and recommends that Windows users "restrict use of Safari as a Web browser until an appropriate update is available from Microsoft and/or Apple."

So yes, IE is in fact autoloading executables from the desktop. It's Safari's vulnerability to carpet bombing that sets the stage, but it's IE and Windows that cause the big boom.

Re:Secure from the ground up! (0)

Anonymous Coward | more than 6 years ago | (#23753027)

Safari shouldn't download files automatically, If His Royal Highness Jobs can't cope with the obvious, there should be an option to disable this cock-up.

Re:Secure from the ground up! (1)

mweather (1089505) | more than 6 years ago | (#23753927)

It shouldn't, but absent any idiotic vulnerabilities in other software, it's just an inconvenience to clean up the downloaded files. No damage is done.

Re:Secure from the ground up! (0)

Anonymous Coward | more than 6 years ago | (#23754355)

Inconvenience? Jesus fucking christ. You realize that all local exploits just became remote, right? You realize that some dumb twat can stuff your fucking desktop full of ten million files for giggles, right? Jesus fucking christ.

Re:Secure from the ground up! (1)

profplump (309017) | more than 6 years ago | (#23754347)

It maybe shouldn't automatically download files by default. But I had better be able to tell it to automatically download files with certain MIME types -- I do not want a dialog box for every file I download.

Re:Secure from the ground up! (5, Informative)

Richard_at_work (517087) | more than 6 years ago | (#23753085)

Read Slashdot: Microsoft Urges Windows Users To Shun Safari [slashdot.org] - it explains what happens in more detail.

Basically, on Windows Safari automatically downloads files, in imitation of its behavior on OSX, but whereas on OSX it downloads them to a nice ~/Downloads directory on Windows it downloads them to the desktop. Also, on OSX Safari tags the downloaded file as 'unsafe', but it fails to use the Windows functionality to do the same on Windows. This leaves a whole load of files that you never asked for or wanted lying around on your computer in a state that is one step away from being executed.

This 'attack' allows a malicious person to force Safari to dump thousands of files on your desktop, which in and of itself is not a nice thing, but when coupled with other exploits it can lead to code execution of these files you never wanted in the first place - whether those exploits are patched by the vendor (Microsoft) or not, we both know that a significant portion of desktops are not kept fully up-to-date with security releases.

mod parent up (4, Insightful)

spud603 (832173) | more than 6 years ago | (#23753177)

very informative.
If Windows has an "unsafe" flag for files, it should be used by Safari. Also, I find using desktop as default download space incredibly annoying (yes, i'm looking at you firefox).
That said, IE should also know better than to execute random files from the desktop, which seems like the nastier issue here.

There is one (3, Informative)

Titoxd (1116095) | more than 6 years ago | (#23753919)

If Windows has an "unsafe" flag for files, it should be used by Safari.
Windows has it. It's the Attachment Execution Service [bartdesmet.net] , located in the Alternate Data Streams [wikipedia.org] in NTFS.

Re:mod parent up (1)

SoupIsGoodFood_42 (521389) | more than 6 years ago | (#23754929)

Call me weird, but I prefer downloads to appear on the desktop. I use the desktop as a dumping ground for anything new that I haven't yet sorted or looked into. The downloads folder is a sensible default, though.

location is fine, automatic download is the issue (1)

nobodyman (90587) | more than 6 years ago | (#23756931)

I prefer things downloaded to the desktop, too. However, my issue is that the files are downloaded automatically. Let's ignore the dll security flaw for a second. If Safari gains any significant traction among windows users, I guarantee that websites will use this as a vector for spamming you with ads and spyware. At a bare minimum it will be annoying.

In fact, I'm kindof surprised that the surlier parts of the web (warez sites and such) aren't already using this to dump porn ads on your desktop.

Re:mod parent up (2, Informative)

gerardrj (207690) | more than 6 years ago | (#23756569)

Even if Windows has an "unsafe for execution" flag for files, the DLLs in question aren't really being launched through the new process/application launch APIs that would implement such a flag.
These files are being loaded as trusted libraries of shared code that likely bypass anti-virus and other such protection apps.

Re:mod parent up (1)

nobodyman (90587) | more than 6 years ago | (#23756993)

Are you sure? Seems crazy that there would be a mechanism for marking files as unsafe when the OS (or at least IE) doesn't respect it. But this is microsoft we're talking about here.

It would be easy enough to test this out though. manually download this DLL using IE (which marks the file as unsafe), then fire up IE7.

Yup! (4, Informative)

nobodyman (90587) | more than 6 years ago | (#23757139)

It would be easy enough to test this out though. manually download this DLL using IE (which marks the file as unsafe), then fire up IE7.
I tried it out: the exploit still works when you manually download the file using IE instead of Safari. So either IE isn't marking downloaded executables as unsafe either, or IE ignores this flag when loading DLL's. Either way it undermines the"Apple is at fault" argument.

Carpet bombing is still an issue, if for no reason than it is an annoyance.

Re:Secure from the ground up! (1)

peragrin (659227) | more than 6 years ago | (#23753277)

um safari at least for me downloads directly to the desktop. then again when the download finishes instead of auto opening the file OS X pops up a dialog to manual confirm that I downloaded an application/disk image/zip file. where as jpgs, gifs, pdfs just save automatically.

Re:Secure from the ground up! (1)

Pope (17780) | more than 6 years ago | (#23753601)

but whereas on OSX it downloads them to a nice ~/Downloads directory

No it doesn't. It downloads to ~/Desktop by default. You have to change that yourself. (Unless 10.5 has a new folder that 10.4 doesn't)

Re:Secure from the ground up! (2, Informative)

Jabrwock (985861) | more than 6 years ago | (#23753699)

Yes, the "Downloads" folder was introduced in 10.5.

Re:Secure from the ground up! (1)

@madeus (24818) | more than 6 years ago | (#23753775)

In Mac OS X 10.5 downloads are placed in ~/Downloads, and a shortcut to the downloads folder is automatically created in the Dock.

You can read about this functionality here [apple.com] .

It's been out since last year, which in Mac OS X release terms is quite a while (10.6 seeds are just being released). It would be wise to upgrade when updates for Mac OS X are available, there is a real point to upgrading, both for developers and end users, particularly because of the number of under the hod improvements each release has seen.

Re:Secure from the ground up! (0)

Anonymous Coward | more than 6 years ago | (#23753779)

10.5 does indeed have a ~/Downloads directory, and that is where downloads go by default. It also puts them in the downloads "stack," which is quite convenient.

Re:Secure from the ground up! (0)

Anonymous Coward | more than 6 years ago | (#23754899)

Yes, it does. Running 10.5 here, everything from safari goes to Downloads by default.

Re:Secure from the ground up! (0)

Anonymous Coward | more than 6 years ago | (#23753861)

Well, fair point. Safari's flaw is giving Windows a connection to the internet. That's glib, but I have to ask how much responsibility a third-party application is supposed to have for how Windows works. Keeping away from politics just for a moment, is there anything like a generally-agreed technical reasoning, and precedence, for how responsibility should be divided here?

I'm looking at it as: Application A downloads package but does not run it. Application B auto-runs it. Package p0wns system.

How do you logically decide A or B has a security flaw? Or the system? Or a security application C?

Re:Secure from the ground up! (2, Insightful)

mweather (1089505) | more than 6 years ago | (#23753995)

In this case Application B and the system are one in the same.

there are two problems (1)

Yaur (1069446) | more than 6 years ago | (#23761055)

Application A shouldn't download it without asking the user.
Application B is not setting its working directory correctly.

Re:Secure from the ground up! (0, Redundant)

Entropy2016 (751922) | more than 6 years ago | (#23752745)

Maybe it's just me, but this looks like it's just Safari for Windows. I tried to click on the live example and it just downloaded an exe file.

Re:Secure from the ground up! (0)

Anonymous Coward | more than 6 years ago | (#23753019)

Mod parent down -1, idiot.

Wrong section, eds! (4, Informative)

himself (66589) | more than 6 years ago | (#23752865)

This is a _Windows_ Safari problem, not an _OS X_ Safari problem. And yes I RTFBlogPost.

Re:Wrong section, eds! (4, Informative)

Qwerpafw (315600) | more than 6 years ago | (#23753275)

It's a Windows Internet Explorer problem, not a Mac OS X Safari problem.

the "bug" is that Safari has the users desktop as the default download directory, and will automatically download files if you go to some websites. This is normal and fine behavior. The problem is that Internet Explorer loads files from the desktop on launch, which means if you craft a malicious library and put it on the desktop Internet Explorer will happily load it.

Microsoft should fix IE to avoid loading files from the Desktop.

Re:Wrong section, eds! (3, Insightful)

oyenstikker (536040) | more than 6 years ago | (#23753573)

"This is normal and fine behavior."

No, it isn't.

Re:Wrong section, eds! (1)

IntlHarvester (11985) | more than 6 years ago | (#23753867)

Even aside from the IE issue and "carpet bombing", silently downloading things to the desktop makes it very easy to create a hack such as a fake "My Computer.exe" icon.

It really is bad UI behavior (on both Mac and Windows).

Re:Wrong section, eds! (1)

ProfessionalCookie (673314) | more than 6 years ago | (#23760283)

Silent is a misnomer. Safari opens it's download manager and starts its work. The other option is to do the whole OPEN or SAVE dance...and then open the download manager.

Re:Wrong section, eds! (1)

IntlHarvester (11985) | more than 6 years ago | (#23760345)

The download manager stays in the background and does nothing to notify the user, so it is effectively silent.

And yes the "Open/Save Dance" is exactly what is supposed to happen before files are saved to the disk.

Re:Wrong section, eds! (2, Insightful)

Khyber (864651) | more than 6 years ago | (#23753879)

No, the problem is that Safari doesn't utilize the functionality Windows has for marking files as safe or unsafe when it downloads something, thus allowing IE to open said files.

Safari isn't implementing the basic security that is implemented in Windows.

Re:Wrong section, eds! (2, Informative)

gerardrj (207690) | more than 6 years ago | (#23756657)

Marking the file safe or unsafe will likely not fix the issue. You aren't launching the DLL and IE isn't "opening it" like it would a bookmark or web archive or .jpg. It's including the DLL's code in to the execution environment of the parent process (IE) and thus bypassing any unsafe filesystem flag.

Then again, maybe I'm wrong. If you download and install a printer driver, are you warned the driver is unsafe the first time your try to print?

Re:Wrong section, eds! (1)

Khyber (864651) | more than 6 years ago | (#23760705)

I'm warned the driver is unsafe if it's not signed upon installation, BEFORE I ever print.

Also, IE's behavior for anything unsafe (Unless you SPECIFICALLY changed the setting in options) is to ask you or outright deny it, without regard to the parent process. Has been since IE5.5.

Re:Wrong section, eds! (1)

gerardrj (207690) | more than 6 years ago | (#23761063)

During the installation program's operation and printer setup process, yes.

The process described is providing a raw DLL file that is being included from an insecure location without any verification, authorization or authentication.

This has been verified by another poster in another thread: download the file with IE and put it on the desktop and the next time you launch IE, the exploit it enabled.

Re:Wrong section, eds! (4, Informative)

Chas (5144) | more than 6 years ago | (#23754425)

No. It's a problem with Windows Internet Explorer that's exacerbated by a problem with Windows Safari.

Safari should NOT be auto-dumping files onto the Windows desktop. PERIOD.

There's enough blame to go around everywhere.

Re:Wrong section, eds! (3, Informative)

ClassMyAss (976281) | more than 6 years ago | (#23759029)

Safari should NOT be auto-dumping files onto the Windows desktop. PERIOD.
Totally agreed. I'd go further - no website should be able to trigger any action on my computer that persists after I close the damn browser window without my explicit permission, apart from saving cookies and leaving an entry in my history log (even then, only if I've enabled both of these things).

That said, IE is worse here - downloading files without my permission is bad form, but a pre-installed system app loading DLLs from any old place that it finds them, especially one of the most common places to dump downloaded files, is just idiotic.

Shame on all.

Re:Wrong section, eds! (0)

Anonymous Coward | more than 6 years ago | (#23755887)

perhaps people running windows should stick with their own kind! What are they thinking, encouraging apple to come on to their PCs. Its bad enough having itunes on almost every PC...

Re:Wrong section, eds! (0)

Anonymous Coward | more than 6 years ago | (#23757743)

Mod parent down! If automatically downloading files is normal and fine, how do you like some websites scatter your desktop and personal directories with zillion random junks?

Now this is carpet bombing! A Safari bug!

Correct section, eds! (0)

Anonymous Coward | more than 6 years ago | (#23753311)

The section is not "OS X". It is "Apple", the folks who make Safari.

Re:Correct section, eds! (1)

Darkness404 (1287218) | more than 6 years ago | (#23753781)

But you *need* IE for the attack to be successful, its as much if not more of a MS/IE problem then an Apple/Safari problem. Granted, Safari is needed for the attack, but it is IE that executes the attack much as if downloading something in Firefox and then having another program execute it, Firefox is needed but it isn't as much of Firefox's problem then the other software.

Re:Correct section, eds! (0)

Anonymous Coward | more than 6 years ago | (#23753893)

That's right. Safari is needed for the attack. Hence the Apple section. That's all I was saying.

BTW, this either/or bickering of one camp saying "It's IE's fault", and the other camp saying "It's Safari's fault" is really stupid. It is BOTH Microsoft's AND Apple's fault. A pox on both their houses for this one.

Re:Wrong section, eds! (1)

ruinevil (852677) | more than 6 years ago | (#23754823)

Read the bolded text over there to your left. It says Apple, not OS X. Safari is made by Apple, and is needed for the attack. Most Windows users didn't even know what Safari was until it became part of an Itunes update, which was decided by... you guessed it, APPLE.

Don't forget, Firefox/Gecko penetration is a lot lower on Windows than in Mac OS X. Windows users generally don't change their browsers from Internet Explorer.

Quick Workaround... (4, Informative)

Manip (656104) | more than 6 years ago | (#23752885)

Here are two very quick temp' workarounds for the issue.

1) Launch IE from a location other than your desktop (e.g. Start Menu, Quick Launch Tray).

2) Go to Program Files\Internet Explorer, Create Shortcut, and then place that shortcut on your desktop. Make sure the "Start In" setting is set to any location other than your Desktop.

Better yet... (3, Insightful)

HerculesMO (693085) | more than 6 years ago | (#23752945)

Best workaround is to use Firefox.

Re:Better yet... (0, Redundant)

unspokenchaos (1295553) | more than 6 years ago | (#23753623)

i totally agree there are better browsers than IE, period.

Re:Better yet... (1)

IdeaMan (216340) | more than 6 years ago | (#23754491)

Nobody seems to be making the other point:
There's no reason they can't start going after other applications, say Microsoft C runtime, or a host of other system dlls.
In that case it is likely that any application launched could have the problem.

You would deliver the binary attack this way:
1: Download evil comctl32.dll from malicious.nl to \downloads
2: Download Utility.exe from opensource.org to \downloads
3: Run Utility.exe from \downloads
4: Machine is infected
5: P.. nvm.

Solution is to educate users that dlls/ocxs/vbs etc are just as dangerous as .exe files.

Re:Quick Workaround... (4, Insightful)

CastrTroy (595695) | more than 6 years ago | (#23753269)

For me it runs even when launching from the quick launch bar, or from the start menu. For some reason, IE seems to like to load things from the desktop by default. For instance, to change your "view source" application from notepad to notepad++, you can put the following in a notepad.bat file on your desktop.

C:\Program Files\Notepad++\notepad++.exe %1

This problem seems to be two fold. First, Safari will automatically download stuff, to your desktop, without asking you. Secondly, IE will load DLLS from the desktop, just because they happen to have the same name as some other DLL it is looking for. I think the bigger problem here is with IE, because it doesn't matter how the dll got on your desktop, it shouldn't be using it.

Re:Quick Workaround... (2, Interesting)

Khyber (864651) | more than 6 years ago | (#23753913)

Do you know WHY IE likes to load stuff from the desktop?

If you disable active web content on your desktop (thus only allowing .bmp backgrounds, IIRC) I'll bet half this wouldn't happen. IE is integrated into the desktop so for it to run shit from the desktop makes sense.

Re:Quick Workaround... (2, Informative)

Fast Thick Pants (1081517) | more than 6 years ago | (#23754429)

Red herring. It's got nothing to do with "Active Desktop". It's just the way Windows executables typically look for .dll files -- starting with the current directory and then each path listed in the PATH environment var.

In this case the shortcut to IE is launching the program with the user's desktop as current directory. First of all, it shouldn't -- probably it should be one level up from, there, in the user's home directory. Second, MS might want to rethink the way they hunt for .dll files for system-installed apps. Loading them from a user-writable directory is probably a bad idea. Loading them from a location that tends to fill up with random shit is *definitely* a bad idea.

That said, Apple should take initiative here and change the default download directory, especially after the way they hard-sold the Safari installation to so many people to begin with.

Re:Quick Workaround... (2, Interesting)

Fast Thick Pants (1081517) | more than 6 years ago | (#23754559)

In this case the shortcut to IE is launching the program with the user's desktop as current directory.
Hold the phone -- after several tests using CastrTroy's method, it appears that it doesn't matter one lick what the current directory is: IE will always give preference to executables on the desktop. 1) Eating crow and 2) Yikes! I still think Apple will be able to fix this first, and should.

This is a longstanding Windows flaw. (1, Insightful)

argent (18001) | more than 6 years ago | (#23752905)

This is not a security flaw in Safari, it's using what SHOULD be no more than a DOS attack on Safari to make an attack on the longstanding security flaws inherent in the Windows browser-desktop integration. The same flaws can be attacks with minimal social engineering ... convincing a significant number of users to download a file despite any warnings is NOT a hard process... the majority of malware over the past decade that have used related flaws in the Windows security model have managed to propagate using social engineering tricks.

I am still boggled by the fact that Microsoft didn't fix the deep problems here ten years ago.

Re:This is a longstanding Windows flaw. (1)

A beautiful mind (821714) | more than 6 years ago | (#23753043)

I am still boggled by the fact that Microsoft didn't fix the deep problems here ten years ago.
The simple solution would be to provide a damn package manager, with public repositories and trustworthy install mechanism. People need to be educated out of grabbing any software from third party sources, unless they can't find it in the repository and they really need it and verified that it's a legitimate copy from a legitimate source.

Re:This is a longstanding Windows flaw. (1)

initdeep (1073290) | more than 6 years ago | (#23753045)

Well killing off stupid users is sort of self defeating isn't it?

Re:This is a longstanding Windows flaw. (5, Insightful)

brunascle (994197) | more than 6 years ago | (#23753241)

I'd say it is a security flaw in Safari, but for different reasons. As the same blog explains [fc2.com] , you could have Safari download an executable to the desktop that pretends to be e.g. Internet Explorer. If they normally launch IE from the desktop, they could click the fake IE next time, running arbitrary code.

Re:This is a longstanding Windows flaw. (1)

argent (18001) | more than 6 years ago | (#23753731)

As the same blog explains, you could have Safari download an executable to the desktop that pretends to be e.g. Internet Explorer. If they normally launch IE from the desktop, they could click the fake IE next time, running arbitrary code.

Yes, that's a standard part of a social engineering attack. This does make social engineering attacks easier, and should be fixed (let's start by downloading to something like %PROFILE%\Downloads instead of the Desktop). This is similar to the problem where Safari on OS X will install Dashboard widgets for you... that should not be possible.

But next to having downloaded files execute automatically? That's a minor issue.

Re:This is a longstanding Windows flaw. (2, Informative)

Sloppy (14984) | more than 6 years ago | (#23754495)

you could have Safari download an executable to the desktop that pretends to be e.g. Internet Explorer. If they normally launch IE from the desktop, they could click the fake IE next time, running arbitrary code.

I'd call that a fundamental flaw with the Windows environment itself. It sounds like this "desktop" thing is used as both a temporary scratchpad for miscellaneous data from arbitrary untrusted sources, and as a repository for locally trusted executables. Someone at Microsoft needs to get it straight in their head, and figure out just what this "desktop" thing is for.

When I think of my experience with Unix-type systems, I don't think it has ever occurred to me to put PATH=/tmp in my .bashrc. I think I have done dumb things like PATH=. back in the 1980s when I was young and foolish and didn't know better, though. Personally, I think it's delightful that a bunch of teenage amateurs are trying to create an operating system. So what if they haven't yet learned what everyone else had known for decades? Let's not discourage their creativity with our stodgy pragmatism. Maybe some day it will really pay off. If they really think it all through and work hard, 2009 could be the year of the Windows desktop.

Re:This is a longstanding Windows flaw. (1)

menace3society (768451) | more than 6 years ago | (#23754569)

Or, it could be a security invulnerability in Safari. Think about it: if everyone set up their websites so the latest Windows patches and a free anti-virus program would automatically download to the desktop and run the next time IE was opened, we could take down all the botnets and malware!

Re:This is a longstanding Windows flaw. (2, Insightful)

anomaly256 (1243020) | more than 6 years ago | (#23753557)

Just FYI, it's not the browser-desktop integration causing the problem with IE, it's how the win32 dynamic linking mechanism works

Re:This is a longstanding Windows flaw. (2, Insightful)

argent (18001) | more than 6 years ago | (#23753883)

Is it this one? "While trying to load some of those files, it does not provide the full path of the DLL file to the function which loads the DLL file to the memory, and therefore Windows will search for this file in the user's machine using the directories provided in the PATH environment variable, and will load the first match it will found."

If so, why is %PROFILE%\Desktop in %PATH%?

Oh, no, it's this one: "While this is true, the behavior of the "DLL Search Order" (when it's disabled) is to look for the DLL in the current directory, right after the Internet Explorer's directory. As most users execute Internet Explorer from the Desktop, the current directory will be of course the user's Desktop (see screenshot below)."

Why is Internet Explorer's current directory the desktop?

It's not because Internet Explorer is in %PROFILE%\Desktop, because it isn't.

It's not because Internet Explorer is a shortcut on the Desktop, because that would run it with the current directory in the destination directory of the shortcut.

Perhaps it's because the Internet Explorer icon on the desktop is a special case, because of the browser-desktop integration?

Nah, that's crazy talk.

Re:This is a longstanding Windows flaw. (1)

Kalriath (849904) | more than 6 years ago | (#23755201)

Perhaps it's because the Internet Explorer icon on the desktop is a special case, because of the browser-desktop integration?

Nah, that's crazy talk.
You're right. It is. If you set Firefox to be your Internet icon (from "Set Program Access and Defaults") Firefox could potentially do exactly the same thing - because the Internet icon is a special case (like My Computer, Recycle Bin, My Network Places, and My Documents).

The same issue could be raised using Windows Explorer (which has no integration with Internet Explorer).

Re:This is a longstanding Windows flaw. (1)

argent (18001) | more than 6 years ago | (#23755437)

the Internet icon is a special case (like My Computer, Recycle Bin, My Network Places, and My Documents).

Which is to say that it's the fault of browser-desktop integration, yesno?

Re:This is a longstanding Windows flaw. (1)

Kalriath (849904) | more than 6 years ago | (#23757041)

No. It's nothing to do with browser-desktop integration. Especially since the browser does not integrate with the desktop (though Explorer will render a single Shell Document Viewer interface on the desktop if Active Desktop is enabled).

Re:This is a longstanding Windows flaw. (1)

argent (18001) | more than 6 years ago | (#23757237)

Tell me, Mister Bones, when did they make Internet Explorer a special case on the desktop?

Why, it was in 1997, when they started the whole browser-desktop integration mess.

Without that, they wouldn't have had any reason to treat it any different from any of the other apps they included on the desktop by default.

Especially since the browser does not integrate with the desktop

That's not what "browser-desktop integration" refers to.

Re:This is a longstanding Windows flaw. (1)

pauljlucas (529435) | more than 6 years ago | (#23754711)

I am still boggled by the fact that Microsoft didn't fix the deep problems here ten years ago.
Why? Microsoft has the dominant market share. They got there (and are remaining there) even with the bugs, so there's really no incentive for them to devote developers' time to fix the bugs. Until their myriad of bugs start to erode their market share in a serious way, nothing will change.

Re:This is a longstanding Windows flaw. (1)

argent (18001) | more than 6 years ago | (#23755399)

Every time I think I'm a cynical bastard some cynical bastard comes along and one-ups me.

Best Solution (2, Interesting)

Skye16 (685048) | more than 6 years ago | (#23753073)

Clearly the quickest way we can get Apple to fix this is to host this attack on all of our own websites, with the .exe in question being the uninstall program for Safari.

As soon as the attack centers on an Apple product, they'll start moving their ass. Until then, it's "not [their] problem".

Re:Best Solution (2, Insightful)

Entropy2016 (751922) | more than 6 years ago | (#23753129)

It's something Microsoft has to fix. The article is your friend.

Re:Best Solution (2, Informative)

Skye16 (685048) | more than 6 years ago | (#23753443)

I'm sorry, but allowing a malicious website to provide hundreds or thousands of executables on my desktop is *still* an Apple bug. What's worse, it's the root cause. Yes, Windows and IE have a flaw that allow that file to be executed, but it wouldn't be there in the first place - especially in such quantity - if the flaw in Safari didn't exist first.

As you say, the article is your friend.

"The Safari bug, originally disclosed on May 15 by security researcher Nitesh Dhanjani, allows attackers to litter a victim's desktop with executable files, an attack known as "carpet bombing.""

Re:Best Solution (2, Insightful)

oahazmatt (868057) | more than 6 years ago | (#23753787)

Half of the problem is with Safari, the other half is with IE. Let's give credit where credit is due.

If it weren't for Safari downloading the files to the desktop by default, they wouldn't get there.

If it weren't for IE opening these files from the desktop by default, they wouldn't open.

Now, if you'll excuse me, I'd like to feel completely secure. I'm going to go install my old copy of OS/2 Warp v3 and Netscape Communicator.

Re:Best Solution (1)

Khyber (864651) | more than 6 years ago | (#23753943)

No, the TOTAL problem is with Safari, which refuses to use Windows' ability to mark files as safe or unsafe after being downloaded. If Safari utilized that feature, this wouldn't happen in this particular fashion.

Re:Best Solution (1)

Doctor_Jest (688315) | more than 6 years ago | (#23754885)

Then why isn't Windows doing it itself? Regardless of browser used.

Would this happen with Firefox? Would this happen with Seamonkey? I'm just wondering... I don't honestly know, because I don't use Windows...

It doesn't seem like Safari would turn off such a feature...

Re:Best Solution (1)

Kalriath (849904) | more than 6 years ago | (#23755231)

The browser must do it itself, by writing an Alternate Data Stream (ADS) with the Zone Identifier (3 for Internet) the file came from.

Re:Best Solution (1)

PC and Sony Fanboy (1248258) | more than 6 years ago | (#23755911)

It doesn't seem like Safari would turn off such a feature...
Yes, clearly, this is something apple would NEVER try to do... you know, apple is against crippling competition. They're all about interoperability.

They've even decided to let us use exchange on the new iphones!

Re:Best Solution (1)

Doctor_Jest (688315) | more than 6 years ago | (#23758065)

...Just like Microsoft?

Re:Best Solution (1)

SanityInAnarchy (655584) | more than 6 years ago | (#23759795)

Then why isn't Windows doing it itself? Regardless of browser used.
Because an OS has no concept of a "download". All Windows knows is that some program (probably called safari.exe) is pulling bits in from the Internet, and writing them to disk. For all it knows, this is a logfile, or a cached certificate, or anything.

It doesn't seem like Safari would turn off such a feature...
No, it just didn't turn the feature on.

Re:Best Solution (2, Informative)

ClassMyAss (976281) | more than 6 years ago | (#23759087)

Someone else posted somewhere here that it doesn't matter if the file is marked or not, and that if you download the file from IE or Firefox it is STILL picked up and loaded from the desktop by IE. Sounds like part of the problem is that dll's aren't being checked for safety before loading; whether this is a general "feature" in Windows or something IE specific, I have absolutely no idea, I haven't used Windows in a while so I can't check myself...

Re:Best Solution (0)

Anonymous Coward | more than 6 years ago | (#23754959)

Less filling!

Re:Best Solution (0)

Anonymous Coward | more than 6 years ago | (#23755129)

Tastes great!

Re:Best Solution (0)

Anonymous Coward | more than 6 years ago | (#23753829)

It's something Microsoft has to fix. The article is your friend.
I don't know of any other browsers that allow a malicious website to dump a shiteload of crap on my desktop. Sounds like a browser problem.

Re:Best Solution (2, Insightful)

Entropy2016 (751922) | more than 6 years ago | (#23754563)

The person I was responding to was talking about executing unauthorized exe on on another person's computer (to uninstall Safari). That part of the attack is a Windows+IE issue that Microsoft has to fix.

Sure, Safari (on Windows) can carpetbomb & spam your desktop. That's potentially annoying (but ultimately doesn't harm your system).

There's a distinction between Safari "making available" the malicious executable versus it actually being executed, which like I was saying, the person I was responding to was talking about.

Dear Apple, Please stop sucking (1, Insightful)

sootman (158191) | more than 6 years ago | (#23753471)

Why oh why, in two-thousand-freaking-whatever, do we still have issues like this? It's bad enough that Apple has "Open 'safe' files after downloading" enabled by default (and yes, they are the ones who put 'safe' into quotes, so it's not like they don't know) and being set to download files without prompting for confirmation is just as bad. We're getting into MS "Hey, let's automatically run attached executables!" territory here. Internet-related things need to be secure by default, period. (Yes, I know 'secure' is not a single magical setting, but if the choice is between "convenient, but obviously a potential attack vector" and "has at least one step between 'click' and 'pwn3d!' " then the default setting should be for the more secure of the two.)

Re:Dear Apple, Please stop sucking (2, Informative)

Anonymous Coward | more than 6 years ago | (#23753713)

First, read the article.

Second, this is about a Windows flaw that Safari has not addressed (rather Apple) in its current iteration. Apple's browser can be considered a "patsy" in this... and MS is trying to pass the buck (so to speak.)

Third, the "open safe files after downloading" is old news. Get a new schtick. ;)

And Fourth, grow up. This isn't about Apple's security, it's about Microsoft's... and Apple's inability to prevent "stupid is as stupid does" on a Windows machine. They're good... just not miracle workers. ;)

Re:Dear Apple, Please stop sucking (1)

sootman (158191) | more than 6 years ago | (#23757805)

First, I did read the article. In fact I read the first article [dhanjani.com] last month.

Second, how is "Safari will gleefully download whatever the hell you throw at it" not an Apple issue? IE doesn't do this. Firefox doesn't do this. It only happens with Safari. How again is this not Apple's fault? True, it's up to IE to run the files, but it's Safri that allows them to be put there in the first place. I'd say both are equally to blame.

Third, it's "old news" but it's still happening and it's still stupid. If there was a murderer loose in your neighborhood for a year, would you tell your wife "Don't worry honey, that's old news"?

Fourth, nice ad hominem. Let me repeat this: the files wouldn't be there for IE to execute if Apple's product didn't put them there in the first place. Ooh, yeah, Apple devs have to be real fucking miracle workers to make a preference checkbox NOT CHECKED BY DEFAULT. (OK, this isn't a switchable preference, but it would be the very definition of "trivial" to a) not make the app download by default, b) pop up a dialog saying "where do you want to save this file?", and, if they wanted to get really fancy, c) make this a changeable preference.)

Re:Dear Apple, Please stop sucking (1)

anomaly256 (1243020) | more than 6 years ago | (#23753815)

Silly mods. This may be flamebait, but it's far more insightful than it is incite-full ;) I vote for a re-tag.

More FUD (0)

Anonymous Coward | more than 6 years ago | (#23753715)

For crying out loud:

This is Windows-only.

The Safari problem only enables littering the desktop with files.

It's the WINDOWS and IE problem that enables running unauthorized software.

So, bottom line, if you're using a Mac, you're still just fine.

Conspiracy?? (1)

FataL187 (1100851) | more than 6 years ago | (#23753727)

Sounds like a "Feature" to me.. If Apple is adding exploits to the "PC" then they get to make more commercials about how insecure windows is.

MSFT needs to fix this ASAP (2, Interesting)

aristotle-dude (626586) | more than 6 years ago | (#23754153)

Having Apple change the default location from ~/Desktop to something else only for windows would not solve the real problem. The real problem is that windows should be doing the flagging of the file as potentially unsafe and IE should not be loading DLLS placed on the desktop regardless of how they got there. It is not the responsibility of the browser to flag it a file as potentially unsafe. Windows should either provide a well documented API for setting an unsafe flag on downloads separate from any IE/IE7 code or windows should be monitoring downloads and flagging them.

Regardless of what the default is in Safari or even Firefox, a user can still change that default to anything they want including the desktop.

As others have pointed out, the downloads folder is a Leopard specific feature used by Safari when running under Leopard and the executable warning thing is also a Leopard feature.

Who uses safari for windows and IE? (3, Interesting)

wattrlz (1162603) | more than 6 years ago | (#23754595)

Personally I think the bigger issue is that Safari will auto-download, auto-mark-safe, and auto-run files silently. IE's broken too, but either one of the players involved could render this exploit moot. Let's see who responds first before stoning someone to death.

I still don't see why someone would be browsing around in safari and then open up IE. A regular user's likely to only use his favorite browser and a dev who needs to view the same site in multiple browsers would probably notice that there're a bunch of new .dll files all over the desktop.

Re:Who uses safari for windows and IE? (2, Interesting)

mkramer (25004) | more than 6 years ago | (#23755685)

Who uses safari for windows, period?

But on my PC, I have mozilla as my default browser, but Picasa and Visual Studio still insist on using IE when it needs to do web stuff. I'm sure I could override that, but I haven't bothered.

IE being the system's browsers leaves it easy to be accidently opened, methinks.

But I'm in agreement that if Windows provides a mechanism for marking files as unsafe, it's Safari's fault for not taking advantage of that. Apple can't blame Microsoft of being at fault if they're not using the security mechanisms that Microsoft has put in place.

Re:Who uses safari for windows and IE? (0)

Anonymous Coward | more than 6 years ago | (#23759059)

Of course marking it as unsafe doesn't actually cause IE not to load it. So it is Microsoft's fault.

Reminds me of an old security issue... (1)

SanityInAnarchy (655584) | more than 6 years ago | (#23759839)

On Linux, $PATH generally only includes system directories, like /bin, /sbin, etc -- places only root can write to. Occasionally, it will add ~/bin, which the user can write to -- but which no sane browser would download to by default.

In the Windows command prompt -- and I bet this behavior is inherited from DOS -- the current directory is included in the path. I'm pretty sure it's implicitly included -- that is, no way to disable it by editing %PATH%.

My understanding is, the main reason PATH works this way is to make it always safe to be in a working directory. That is, "cd foo; ls" should always be safe. If you have '.' in the PATH, it's not safe to do this in a directory writable by people you don't trust -- they could always create a file named 'ls' which you would then run.

This just seems like a variation of the same -- it might make sense to look for DLLs in the directory containing the EXE, but I don't think it makes sense to look for DLLs in the current working directory.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>