Apple’s Safari Downloads Websites Resources Without Asking For Permission
According to researcher Nitesh Dhanjani, Safari browser doesn’t bother to ask for user permission before downloading resources from websites. When encountering malicious iframes and other scripts, the browser obediently does what the website tells it to do, including downloading a file as many times as HTML scripts order.
The vulnerability allows miscreants to dump hundreds of malicious files into a user’s default download location (in Windows it’s the desktop and in OS X it’s the download folder). It wouldn’t be hard for a rogue site, for example, to load up a desktop with dozens of booby-trapped “My Computer” icons that look like the real Windows icon and wait for a confused user to accidentally click on them.
When informed of this vulnerability, Apple agreed that it might be good if Safari actually checked with the user before downloading potentially vicious files, but signaled that kind of addition wasn’t much of a priority.
According to Apple’s security team, they are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. Apple wants to set users expectations that this could take quite a while, if it ever gets incorporated. Apple uses its security update mechanism as a way to push Safari on users who have never installed the browser, something that offends the sensibilities of many who believe security update notices should be reserved only for buggy software that presents a clear and present danger – that is for buggy software that’s already installed.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.