Stephen Withers
Monday, 02 June 2008 10:41
Opinion and Analysis
Page 2 of 3
The IE flaw was identified and reported "a long long time ago" by
Aviv Raff who also realised that it could be combined with carpet bombing.
Microsoft has issued a s
ecurity advisory on the issue, stating that changing Safari's default download location provides protection from the threat but nevertheless suggests to customers that they "Restrict [the] use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple."
(Here's an opportunity to use that human imagination I mentioned above: what can you do with a web browser other than use it as a web browser?)
Raff believes changing the download location does
not protect against the combined vulnerability, and that carpet bombing could be used in conjunction with vulnerabilities in other products.
The good news is that - as far as Microsoft knows - the technique has not been used in real life, but that probably won't last.
How should this be dealt with?
Well, it seems clear to me that the reported IE flaw requires an urgent fix. If it's possible for a browser to automatically trigger the execution of a file in a user-controlled folder, there's something very wrong.
So, does this let Apple off the hook?
No, but it's harder to see what the 'right' answer would be, and I can understand why Dhanjani was warned that a change to Safari based on his report would require the involvement of the company's human interface team.
A preference that prevents Safari from downloading any non-renderable/playable content has been suggested, but what happens when you want to download a program from a developer's web site? Please read on to
page 3 .
