Daily cyber threats and internet security news: network security, online safety and latest security alerts
May 15th, 2008

Apple’s Safari Downloads Websites Resources Without Asking For Permission

According to researcher Nitesh Dhanjani, Safari browser doesn’t bother to ask for user permission before downloading resources from websites. When encountering malicious iframes and other scripts, the browser obediently does what the website tells it to do, including downloading a file as many times as HTML scripts order.

The vulnerability allows miscreants to dump hundreds of malicious files into a user’s default download location (in Windows it’s the desktop and in OS X it’s the download folder). It wouldn’t be hard for a rogue site, for example, to load up a desktop with dozens of booby-trapped “My Computer” icons that look like the real Windows icon and wait for a confused user to accidentally click on them.

When informed of this vulnerability, Apple agreed that it might be good if Safari actually checked with the user before downloading potentially vicious files, but signaled that kind of addition wasn’t much of a priority.

According to Apple’s security team, they are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. Apple wants to set users expectations that this could take quite a while, if it ever gets incorporated. Apple uses its security update mechanism as a way to push Safari on users who have never installed the browser, something that offends the sensibilities of many who believe security update notices should be reserved only for buggy software that presents a clear and present danger – that is for buggy software that’s already installed.

Share this item with others:

More on CyberInsecure:
  • Microsoft Alerts Users Not To Use Safari Due To Carpet Bombing Vulnerability
  • Apple Patches Multiple Vulnerabilities In Safari 3.1.1
  • Privacy Flaw Found In Apple Safari RSS Reader
  • Apple Safari Domain Extensions Insecure Cookie Access Vulnerability
  • Researcher Finds Possible Flaw In Apple’s IPhone That Allows Shellcode On Unmodified Device

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Apple’s Safari Downloads Websites Resources Without Asking For Permission

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.