Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Monday, 02 June 2008 09:41

Uh-oh: Safari, IE flaws combine to put Windows at risk!

Human imagination is a wonderful thing, but unfortunately some have a tendency to use it to use it to devise nasty scenarios. A researcher has mashed up flaws in two different browsers to trigger the execution of remote code on Windows. Let the finger pointing begin!

The bittersweet taste of two-in-one tech terror combines serious flaws in the Safari and IE browsers, and in a nutshell, works by using the recently disclosed 'carpet bomb' flaw in Apple's Safari to get executable code onto the victim's computer, then exploiting an old and unpatched Internet Explorer bug to run the files without the user's involvement.

Carpet bombing was disclosed last month by Nitesh Dhanjani after (he says) Apple told him that his private report would not be treated as a security issue.

Apple: what a shame it has taken an attack devised by a researcher to prove that there’s no flaw worth leaving unpatched?

The problem concerns the action a browser should take when it receives a file that cannot be rendered. Safari assumes that it was something the user requested, and downloads it to the default folder (Downloads on Mac OS X, Desktop on Windows). The alternative is to ask the user if the file should be downloaded - shades of Vista's much-criticised UAC.

How you feel about that depends on how often you download files that won't open in the browser. If you rarely do it, the confirmation dialogue wouldn't appear very often and you would neither find it irritating nor habitually click the OK button without thinking.

However, if you frequently download files that need to be opened in a separate program, such as Office files, then you'll quickly become accustomed to accepting the download and may click OK even when you haven't explicitly requested a file.

Frankly, I don't think it makes much difference whether the browser asks for confirmation when downloading begins, or when a downloaded file is first opened (as happens in Mac OS X). Once you get into the habit of clicking OK, it's not easy to stop and think each time the warning dialogue appears unless it is in particularly unusual circumstances.

So, what is the IE flaw in question, and how should it be dealt with? Please read on to page 2.

The IE flaw was identified and reported "a long long time ago" by Aviv Raff who also realised that it could be combined with carpet bombing.

Microsoft has issued a security advisory on the issue, stating that changing Safari's default download location provides protection from the threat but nevertheless suggests to customers that they "Restrict [the] use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple."

(Here's an opportunity to use that human imagination I mentioned above: what can you do with a web browser other than use it as a web browser?)

Raff believes changing the download location does not protect against the combined vulnerability, and that carpet bombing could be used in conjunction with vulnerabilities in other products.

The good news is that - as far as Microsoft knows - the technique has not been used in real life, but that probably won't last.

How should this be dealt with?

Well, it seems clear to me that the reported IE flaw requires an urgent fix. If it's possible for a browser to automatically trigger the execution of a file in a user-controlled folder, there's something very wrong.

So, does this let Apple off the hook?

No, but it's harder to see what the 'right' answer would be, and I can understand why Dhanjani was warned that a change to Safari based on his report would require the involvement of the company's human interface team.

A preference that prevents Safari from downloading any non-renderable/playable content has been suggested, but what happens when you want to download a program from a developer's web site? Please read on to page 3 .

Presumably you'd want that setting to apply only to files downloaded automatically, not those received as a result of clicking on a link. Even that could be troublesome given some web coding practices such as download links that don't point to the file concerned, but to a "thanks for downloading" page that triggers the transfer.

Dhanjani proposed an "Ask me before downloading anything" setting. The trouble with that idea is that as I pointed out earlier, people just become accustomed to clicking OK. That's a problem that dates back to the command line days when systems would ask for confirmation of 'dangerous' commands.

Within a surprisingly short period users became accustomed to typing Enter-Y-Enter instead of Enter alone at the end of those commands. Every so often, you'd do that and then slap your forehead when you realised you'd mistyped the command.

I'm particularly keen to hear what you regard as the correct behaviour for a browser in this type of situation - but please, let's take the "Microsoft sucks" and "Apple sucks" comments as read and concentrate on the issue?


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.



Recent Comments