May 29, 2012 - 03:16 PM EDT — AAPL: 571.55 (+9.26, +1.65%) | NASDAQ: 2865.80 (+28.27, +1%)

StopBadware.org coalition calls on Apple to fix Safari ‘carpet bomb’ issue sooner than later

Tuesday, May 20, 2008 · 4:16 pm · 35 Comments

“The Google-backed StopBadware.org coalition has called on Apple to rethink its stance on whether the Safari ‘carpet bomb’ issue reported by Nitesh Dhanjani constitutes a serious security risk,” Ryan Naraine blogs for ZDNet.

“Dhanjani originally discovered than it is possible for a booby-trapped Web site to litter the user’s Desktop (Windows) or Downloads directory (~/Downloads/ in OSX) with executables masquerading as legitimate icons,” Naraine reports.

“Apple has classified Dhanjani’s findings as more of an annoyance than a security risk that requires an immediate patch,” Naraine reports.

“A source tells me that Apple will fix the issue in Safari 3.2, which is slated for release in the summer (September) this year,” Naraine reports. “However, StopBadware.org, a non-profit managed by Harvard Law School’s Berkman Center for Internet & Society and Oxford University’s Oxford Internet Institute, wants Apple to create and distribute a fix to protect end users.”

Full article here.

StopBadware.org’s blog post on the subject here.

MacDailyNews Take: If what Naraine reports is true, Apple, why wait until September to fix what can be fixed today?

Categories: MacDailyNews, News

Thank You for supporting MacDailyNews!

♥ Adobe Photoshop CS6 Extended for Mac - Student and Teacher Edition DVD (65171323) only $249!
♥ Blowout: Apple 15.4" MacBook Pro i7/4Core/2.0GHz/4GB/500GB (MC721LL/A) only $1,549.99 + Free Shipping from MacMall
♥ Mac Madness Save 25% on Parallels Desktop 7!
♥ 15% Off Compatible Ink. 10% Off All Others (excludes OEMs). Free Shipping over $55. Coupon: 123BLOSSOM, Expires 6.18.12
♥ Save up to 60% at the Hammacher Schlemmer Special Values Sale-While supplies last.
♥ Dragon Dictate for Mac 2.5 - New! Simply Smarter Speech Recognition
♥ Up to 30% OFF Accessories from Verizon Wireless
♥ Limited Time Offer: Get free ZAGGsmartbuds when you buy a ZAGGsparq!

Comment Feed

35 Comments

1 2 Next »

coolfactor

Tuesday, May 20, 2008 - 4:27 pm · Reply

MDN:
- what is a carpet bomb?
- how is it invoked?
- how is one detected and stopped?
- how are false-positives avoided (whereby a user downloads lots of files, but it’s mistaken for a carpet bomb)?

Software engineering is not a trivial thing. There’s lots of factors to consider and lots of testing to be done.

Furthermore, why trust the September release as fact? Where’s the proof?
JAYGEE

Tuesday, May 20, 2008 - 4:29 pm · Reply

Safari has always seemed to be a pain in the neck for Apple, but web browsers are usually pain asses, but it’s better than IE for Mac was.
HMCIV

Tuesday, May 20, 2008 - 4:43 pm · Reply

I read the blog post. As a mac user, I don’t get the danger. You have to make a pretty conscious effort to install something from the web.

And carpet bombing is a WWII era tactic. What’s the correlation between that and downloading lots of files because you’re insane about clicking?

I’m cunfoosed.
@Jaygee

Tuesday, May 20, 2008 - 4:43 pm · Reply

I disagree. Safari for me (at least) has been stabile and a very reliable browser. It is my first choice on my Mac and on my work Windoze machine, followed by Firefox.

If Safari was a “pain in the neck” why would Apple offer a version for Windoze? It certainly doesn’t need too.
Cubert

Tuesday, May 20, 2008 - 4:50 pm · Reply

My take on this is that because of the requirement for an admin password, nothing could be installed on your Mac. BUT, we all know Winblows lets anything and everything in like a Jersey girl on a Saturday night. So they are screwed. Pun intended.
@HMCIV

Tuesday, May 20, 2008 - 4:54 pm · Reply

The issue described doesn’t require that the user do anything but click a link – the download will start automatically. If the user doesn’t notice the Downloads window at the time, they may click again and get yet another copy of the file.

I don’t think this constitutes a huge security risk, but it’s certainly an unexpected and possibly worrying (to the user) behavior.

Who hasn’t run into the issue where you click a link expecting it to open in Safari, and nothing happens? Then you check Downloads and… hey, what’s this file doing here? If the user doesn’t connect this to the earlier click, they may worry about where the file came from.
aka

Tuesday, May 20, 2008 - 4:59 pm · Reply

Carpet Bomb, aka Quief.
Ampar

Tuesday, May 20, 2008 - 5:04 pm · Reply

I had a dog that planted carpet bombs.
Mr. Peabody

Tuesday, May 20, 2008 - 5:24 pm · Reply

And while we’re on Safari security: What’s all the hoopla about Safari not being “qualified” for secure online business? I.E., PayPal and others. Is this another ruse by MS partners or is it for real? The double talk by all concerned leaves the end user, i.e. me, completely in the dark. Some postings here a couple of weeks ago claimed that Safari, along with Opera, was in the top three most compliant with regard to what is labeled, web standards. This seems like a major contradiction to me.

If there are general holes in Safari that legitimately inhibit security, especially with regard to ecommerce using browsers, then I think Apple needs to get these fixed now, and needs to let Safari users know that they are working on this stuff now, not sometime this summer. More and more lately many things that I want to do, like work on my website, some ecommerce (buying and selling), are not allowing me to work unless I download Firefox. I don’t want to download Firefox, and I don’t want two or three or four web browsers installed and crawling around in the inner workings of my computer either. I just want to use Safari – period. If this is not doable then I will make a carte blanche switch to Firefox and quit using Safari altogther.
Buster

Tuesday, May 20, 2008 - 5:59 pm · Reply

@Ampar

Unlike you, I had a carpenter dog….did odd jobs around the house.
GizmoDan

Tuesday, May 20, 2008 - 6:00 pm · Reply

I use Safari and love it.

However today I detected something that may help my MacBook toting friends. Whenever the fan runs like crazy on your MacBook, if you don’t need Safari, turn it off, and see how fast your computer cools down. Very fast. The ability to keep multiple websites on multiple tabs “active” at once, even in the background, seems to use a lot of CPU resources. Depends on the websites I suppose.

Try it and see if your MacBook cools down!
Jimbo von Winskinheimer

Tuesday, May 20, 2008 - 6:46 pm · Reply

In response to the MDN take, I think that any software developer must look at a bug and determine if it is a “fix now” bug, i.e. emergency, or if it can wait. It’s not just as simple as plugging in a fix and shipping it out. This one was not deemed an emergency, so it can wait a few months.
Mr. Reeee

Tuesday, May 20, 2008 - 6:50 pm · Reply

Rampant Carpet Munching might be perceived the bigger threat.
Ampar

Tuesday, May 20, 2008 - 6:55 pm · Reply

“I had a carpenter dog”

I hope you didn’t name her Karen.
KillBill

Tuesday, May 20, 2008 - 7:39 pm · Reply

The headline should read:

StopBadware.org coalition calls on….

Microsoft to stop making software sooner than later.

Why subject the world to software that “constitutes a serious security risk” at all?
eMax

Tuesday, May 20, 2008 - 8:25 pm · Reply

So…When was September considered the SUMMER?
Road Warrior

Tuesday, May 20, 2008 - 8:29 pm · Reply

Wow if StopBadware.org considers links this Safari glitch to carpet bombing I wonder what they must think of Vista….total nuclear arsenal just doesn’t quite make it…how about Death Star in range?
6-Ctrl-P

Tuesday, May 20, 2008 - 8:41 pm · Reply

@GizmoDan,
My guess would be that one of the tabs/pages has a Flash program running; usually it will be an ad. I have a site that I go to in order to play a game. The the game is written in Flash and the fan in my MacBook runs like mad, even when the game is doing nothing.

RDM
Buster

Tuesday, May 20, 2008 - 8:56 pm · Reply

Ampar…Why do birds, suddenly appear, everytime, you are near?
Buster

Tuesday, May 20, 2008 - 8:58 pm · Reply

@eMax….two thirds of september is summer.