Exclusive Deal While supplies last, save 40% off over 40 iPhone 5 and iPhone 4/4S cases and chargers as well as Samsung S III cases at Kensington.com. Use coupon code 'SAVE40%' at checkout to receive this exclusive discount.      
toggle

AAPL Stock: 443.46 ( + 1.32 )

http://www.macnn.com/articles/08/05/20/safari.carpet.bomb.attack/

"Safari Carpet Bomb" attack possible

updated 06:55 pm EDT, Tue May 20, 2008

 

Safari carpet bomb attack


A large security hole in the Windows version of Safari has security researcher Nitesh Dhanjani believing that malicious users could exploit the browser with what he calls a “Safari Carpet Bomb”. Stop Badware reports that the exploit works through Safari’s inability to obtain a user’s permission before downloading resources, related to how it handles content-type rendering. Dhanjani filed a security report with Apple, and was met with a rather neutral response.

“We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.”

Stop Badware writes that the issue is larger than Apple is giving it credit for, saying that the vulnerability would cause a serious security threat.


by MacNN Staff

Post tools:

TAGS :

 industry, security, software, hacks, Safari

Related Articles

Recent Articles

toggle

Comments

  1. JohnFromBeyond

    Fresh-Faced Recruit

    Joined: Sep 2007

    0
    05/21, 03:48am | report spam | Reply |

    the sky is falling

    "carpet bomb"?!? Can we get more sensational than that? Great way to grab some headlines. Next time, try "nuclear holocaust".

    I wonder how long after he submitted the report to Apple before he went for the headlines. Did he give them time to investigate and work up a solution (assuming it was merited)?

  1. DeezNutts

    Fresh-Faced Recruit

    Joined: Apr 2008

    0
    05/21, 10:39am | report spam | Reply |

    re: the sky is falling


    Well you could have just read the response from Apple to get an idea of what they thought.

    "We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue..."

    Apparently he waited long enough for them to reply.

    He was apparently nice enough to notify them instead of just releasing malicious code based on the 'supposed' exploit.

  1. testudo

    Forum Regular

    Joined: Aug 2001

    -4
    05/21, 12:35pm | report spam | Reply |

    nice

    Apparently apple doesn't see downloading automatically a large amount of files a problem. Hmmm.

  1. resuna

    Fresh-Faced Recruit

    Joined: Jan 2005

    0
    05/25, 01:05pm | report spam | Reply |

    This is just a DOS

    This is just a DOS attack. Downloading a file is not an exploit: at most downloading a lot of files can lead to your link being saturated and eventually your disk filling up, but you will notice it and you can unilaterally stop it at any time. There are far worse attacks you can pull on a browser... simply opening a bunch of frames and rendering a big HTML file in each will bog a browser down worse than this "attack".

    Oh, should I have notified Microsoft and Firefox and Apple before saying that?

  1. trowelblister

    Fresh-Faced Recruit

    Joined: Dec 2005

    0
    06/11, 01:37pm | report spam | Reply |

    my understanding,,,

    ,,,is that yes, safari does automatically download the files, but it's microsoft's OS that automatically RUNS the dll files. sems safari's problem may be somewhat minor in comparison

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

MaxUpgrades MaxConnect for 2006-2008 Mac Pro

Nobody outside of Cupertino's privileged bunch knows the future of the Mac Pro line for sure. Despite Apple's reluctance to tell us wh ...

Brother HL-3170CDW LED Printer

We've mentioned before that we are far from a paperless society. For now, at least, there are tasks that require a piece of paper for ...

HTC One

It is hard to overstate just how critically important the HTC One is to the Taiwanese company’s fortunes. Despite its alarming decline ...

toggle

Most Commented

 

Popular News