Warning this article may contain opinions of the author that you and iTWire don't agree with.
Visit the last page to have your say in our forum.

No. 1 Story

Telstra adds one million mobile services, but Sensis plummets

Telstra has revealed the addition of almost one million new mobile services in the six months to December 2011, but Sensis revenues plummeted 24 percent in 12 months.

 read more
StumbleUponSubmit to redditShare this on TwitterShare on facebook | Print |PDF 

More From

Uh-oh: Safari, IE flaws combine to put Windows at risk!

Stephen Withers
Monday, 02 June 2008 10:41

Opinion and Analysis

Page 1 of 3
Human imagination is a wonderful thing, but unfortunately some have a tendency to use it to use it to devise nasty scenarios. A researcher has mashed up flaws in two different browsers to trigger the execution of remote code on Windows. Let the finger pointing begin!
Microsoft Office 365 Get your free Trial
The bittersweet taste of two-in-one tech terror combines serious flaws in the Safari and IE browsers, and in a nutshell, works by using the recently disclosed 'carpet bomb' flaw in Apple's Safari to get executable code onto the victim's computer, then exploiting an old and unpatched Internet Explorer bug to run the files without the user's involvement.

Carpet bombing was disclosed last month by Nitesh Dhanjani after (he says) Apple told him that his private report would not be treated as a security issue.

Apple: what a shame it has taken an attack devised by a researcher to prove that there’s no flaw worth leaving unpatched?

The problem concerns the action a browser should take when it receives a file that cannot be rendered. Safari assumes that it was something the user requested, and downloads it to the default folder (Downloads on Mac OS X, Desktop on Windows). The alternative is to ask the user if the file should be downloaded - shades of Vista's much-criticised UAC.

How you feel about that depends on how often you download files that won't open in the browser. If you rarely do it, the confirmation dialogue wouldn't appear very often and you would neither find it irritating nor habitually click the OK button without thinking.

However, if you frequently download files that need to be opened in a separate program, such as Office files, then you'll quickly become accustomed to accepting the download and may click OK even when you haven't explicitly requested a file.

Frankly, I don't think it makes much difference whether the browser asks for confirmation when downloading begins, or when a downloaded file is first opened (as happens in Mac OS X). Once you get into the habit of clicking OK, it's not easy to stop and think each time the warning dialogue appears unless it is in particularly unusual circumstances.

So, what is the IE flaw in question, and how should it be dealt with? Please read on to page 2.


Start 1 2 3 Next 

Sponsored Announcements

Websense #1 in Web Security Fourth Year in a Row

David Bass | For the fourth year in a row, IDC has placed content security provider Websense (NASDAQ: WBSN) at the top of the IDC Worldwide Web Security 2011 –…

You may have missed


Advertisement

- sponsored feature -

The Death of Traditional BI: What’s Next?

How to Make Business Discovery Work for Your Business IP PABX BUYING GUIDE

Business Discovery takes its cues from consumer apps. Like Google, it encourages us- ers to hunt for and explore data without worrying about or even noticing the underly- ing technology. Their entire experience is working within an intuitive interface to get real-time, self-service results with only minimal training. ...more

Our Services for Technology Professionals

E - mail News SMS Headlines Desktop Alerts News Feeds Job Alerts Technology Events Press-Releases