Safari Vulnerability: Now a Blended Flavor

Posted by Laureli Mallek Thu, 12 Jun 2008 18:46:00 GMT

I blogged previously about a Safari vulnerability noted by Nitesh Dhanjani. He found that Safari automatically downloads items to a default location, which happens to be the desktop on both Apple and Windows machines. By itself, this vulnerability can be frustrating (by “carpet bombing” your desktop) or dangerous (downloading a cleverly disguised piece of badware). On machines with Internet Explorer, the Safari vulnerability combines with an Internet Explorer vulnerability noted in 2006 by Aviv Raff and a larger problem develops (italic emphasis mine).

The new [2006 to current] version of Internet Explorer is vulnerable to a DLL-load hijacking. When IE7 is executed it will load several DLL files. While trying to load some of those files, it does not provide the full path of the DLL file to the function which loads the DLL file to the memory, and therefore Windows will search for this file in the user’s machine using the directories provided in the PATH environment variable, and will load the first match it will found…

Now, all the attacker has to do to bypass this detection is to put a malicious DLL file (or just a downloader DLL of a malicious file) in one of the PATH directories (e.g. the user’s desktop), and the next time the user will run IE7 the code of the attacker’s file will be executed instead of the original DLL file… I’ve reported this to Microsoft few days ago [in November 2006]. Their response: “If the attacker can put a dll on the box in a location that is in the user’s PATH variable, then they already own the box.

LiuDie Yu proves this type of attack can cause an item to be downloaded by Safari on to the desktop of a Windows machine, perhaps as an “hidden” document which is not displayed on the desktop, and executed as the Internet Explorer application launches. Microsoft has issued a warning about the danger to people running both browsers on their Windows machine. It suggests that users “Restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.”

An immediate work-around has been suggested by several sources: change the default download location in your Safari browser to a separate folder for downloaded items. Hopefully Apple and Microsoft will realize that these vulnerabilities do pose a threat serious enough to warrant a patch in the near future.

Posted in all | Tags apple, browser, internetexplorer, safari

Safari Security Questioned; SBW Encourages Action

Posted by Laureli Mallek Mon, 19 May 2008 17:09:00 GMT

You may recall that StopBadware.org recently played a role in successfully encouraging Apple to improve its disclosure in pushing the Safari web browser to users through its Apple Software Update application. Now, Nitesh Dhanjani, a security researcher, writes about his recent interaction with Apple. Dhanjani alerted Apple to several potential issues that he discovered in the company’s web browser, Safari, most notably the potential for a “Safari Carpet Bomb.”

He writes that Safari “cannot be configured to obtain the user’s permission before it downloads a resource,” and provides this example:

Now assume that http://malicious.example.com/cgi-bin/carpet_bomb.cgi is the following:

#!/usr/bin/perl print “Content-type: blah/blah\n\n”

Since Safari does not know how to render content-type of blah/blah, it will automatically start downloading carpet_bomb.cgi every time it is served.”

CNET commented that files downloaded by Safari to the desktop on Windows, or the Downloads folder on Mac OS, create the potential for multiple files of unknown nature to mingle with legitimate downloads.

The Apple security team replied to Dhanjani’s emails courteously, but making it clear that this is not a security priority for the company:

We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.

Assuming Nitesh’s analysis is accurate, “unwanted downloads,” as Apple calls them, represent a serious security threat to users, who can be easily tricked into executing a malicious file. StopBadware.org believes that users should have control over software being downloaded to their computers, and we encourage Apple to reconsider its stance and treat this as the security issue that it is.

Posted in all | Tags apple, browser, by, download, drive, security