“The Windows version of Safari has a bug that’s been dubbed the “carpet
bombing” flaw. It would allow a Web site to place an infinite number of
shortcuts on a user’s desktop — the default download location in the
Windows version — effectively covering the screen with links to
potentially harmful Web sites or code. The same flaw exists in the Mac
version, except that the default download location in the Mac OS is the
user’s downloads folder.”
Security researcher Nitesh Dhanjani, who found this flaw, contacted Apple about it, and got this reply :
“…the ability to have a preference to “Ask me before downloading
anything” is a good suggestion. We can file that as an enhancement
request for the Safari team. Please note that we are not treating this
as a security issue, but a further measure to raise the bar against
unwanted downloads. This will require a review with the Human Interface
team. We want to set your expectations that this could take quite a
while, if it ever gets incorporated.”
So, apparently, Apple doesn’t feel that this could be harmful in any way.
What would you think if Safari let your desktop look like this, and get covered in spam, viruses, and other junk?
(Image from Dhanjani)
“Now, Microsoft has issued a security alert
regarding the flaw, calling it a “blended threat.” Microsoft isn’t
supplying technical details about just how the threat works, but does
provide some basics:
What causes this threat?
combination of the default download location in Safari and how the
Windows desktop handles executables creates a blended threat in which
files may be downloaded to a user’s machine without prompting, allowing
them to be executed. Safari is available as a stand-alone install or
through the Apple Software Update application.
What might an attacker use this function to do?
attacker could trick users into visiting a specially crafted Web site
that could download content to a user’s machine and execute the content
locally using the same permissions as the logged-on user. “