updated 06:55 pm EDT, Tue May 20, 2008
Safari carpet bomb attack
A large security hole in the Windows version of Safari has security researcher Nitesh Dhanjani believing that malicious users could exploit the browser with what he calls a "Safari Carpet Bomb". Stop Badware reports that the exploit works through Safari's inability to obtain a user's permission before downloading resources, related to how it handles content-type rendering. Dhanjani filed a security report with Apple, and was met with a rather neutral response.
"We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated."
Stop Badware writes that the issue is larger than Apple is giving it credit for, saying that the vulnerability would cause a serious security threat.