Two years later, Apple silent won't ready Safari hole
The assault vulnerability was fixed for Safari on Windows, simply non on Mac OS X
Two years after fixing a safety põrnikas inwards the Windows version of its Safari browser, Apple land has decided that Mac users tin terminate go without a fix.
Apple was initially unimpressed past times Nitesh Dhanjani’s run developing what’s known equally a “carpet bomb” attack, the safety researcher said in an interview Monday. “I told Apple nearly it ii years ago, too they responded back, maxim it was to a greater extent than of an annoyance than anything else.”
That turned out to travel the incorrect assessment. Soon after Dhanjani went public amongst the flaw inwards May 2008, approximately other safety researcher showed how rug bombing could travel combined amongst approximately other Windows assault to run unauthorized software on a Windows PC. Apple too then shipped a fix for Safari on Windows, simply non for Safari on Mac OS X.
Nobody has shown how to practice this on the Mac OS X version of Safari, but Dhanjani silent thinks Apple should ready the outcome on both platforms.
In a rug bomb attack, the victim visits a malicious Web site, which then starts downloading unauthorized files to the victim’s computer without whatsoever kind of approval.
“While most sane Web browsers warn the halt user too inquire for explicit permission earlier saving a file locally, Safari goes ahead too saves the file into the default download place without asking the user,” he said inwards a weblog posting, “even if hundreds of files are served upward by the malicious website simultaneously.”
Without conducting approximately other attack, hackers silent receive got no agency to run the files on the victim’s computer, simply these unauthorized downloads still stand upward for a safety risk, Dhanjani said. “In this 24-hour interval too historic menstruation … the site shouldn't be able to drib anything it wants into my downloads folder.”
Not everyone agrees, however. Noted Apple hacker Charlie Miller said that Dhanjani’s põrnikas is non serious because in that place is no minute Mac OS X bug that causes downloaded files to travel executed. “So basically, a Web site tin terminate showtime to download a bunch of files to your Downloads directory. This isn’t an ideal situation, simply too then again, I don’t see a lot of terms that comes from it,” he said inwards an email interview. “Especially, if the option is for the browser to nag me every time I desire to download something.”
Dhanjani believes Apple hasn’t fixed the outcome because it mightiness annoy Mac users. “They’re going after usability,” he said. “Apple wants to make everything therefore seamless that they don’t desire the user to receive got to go through this extra process.”
Apple did non straight off answer to a asking for comment on this story. The companionship typically does non comment on safety issues.
In a May 2008 email message to Dhanjani, viewed past times the IDG News Service, Apple’s safety squad said it would consider adding an “Ask me earlier downloading anything” preference to Safari. “This will require a review amongst the Human Interface team,” Apple told the researcher. “We desire to laid your expectations that this could take quite a while, if it always gets incorporated.”
News Submitted past times : Shi3ld Cod3r
Apple was initially unimpressed past times Nitesh Dhanjani’s run developing what’s known equally a “carpet bomb” attack, the safety researcher said in an interview Monday. “I told Apple nearly it ii years ago, too they responded back, maxim it was to a greater extent than of an annoyance than anything else.”
That turned out to travel the incorrect assessment. Soon after Dhanjani went public amongst the flaw inwards May 2008, approximately other safety researcher showed how rug bombing could travel combined amongst approximately other Windows assault to run unauthorized software on a Windows PC. Apple too then shipped a fix for Safari on Windows, simply non for Safari on Mac OS X.
Nobody has shown how to practice this on the Mac OS X version of Safari, but Dhanjani silent thinks Apple should ready the outcome on both platforms.
In a rug bomb attack, the victim visits a malicious Web site, which then starts downloading unauthorized files to the victim’s computer without whatsoever kind of approval.
“While most sane Web browsers warn the halt user too inquire for explicit permission earlier saving a file locally, Safari goes ahead too saves the file into the default download place without asking the user,” he said inwards a weblog posting, “even if hundreds of files are served upward by the malicious website simultaneously.”
Without conducting approximately other attack, hackers silent receive got no agency to run the files on the victim’s computer, simply these unauthorized downloads still stand upward for a safety risk, Dhanjani said. “In this 24-hour interval too historic menstruation … the site shouldn't be able to drib anything it wants into my downloads folder.”
Not everyone agrees, however. Noted Apple hacker Charlie Miller said that Dhanjani’s põrnikas is non serious because in that place is no minute Mac OS X bug that causes downloaded files to travel executed. “So basically, a Web site tin terminate showtime to download a bunch of files to your Downloads directory. This isn’t an ideal situation, simply too then again, I don’t see a lot of terms that comes from it,” he said inwards an email interview. “Especially, if the option is for the browser to nag me every time I desire to download something.”
Dhanjani believes Apple hasn’t fixed the outcome because it mightiness annoy Mac users. “They’re going after usability,” he said. “Apple wants to make everything therefore seamless that they don’t desire the user to receive got to go through this extra process.”
Apple did non straight off answer to a asking for comment on this story. The companionship typically does non comment on safety issues.
In a May 2008 email message to Dhanjani, viewed past times the IDG News Service, Apple’s safety squad said it would consider adding an “Ask me earlier downloading anything” preference to Safari. “This will require a review amongst the Human Interface team,” Apple told the researcher. “We desire to laid your expectations that this could take quite a while, if it always gets incorporated.”
News Submitted past times : Shi3ld Cod3r
Share This :
comment 0 Comments
more_vert