Safari Susceptible to "Carpet Bomb"

Security researcher Nitesh Dhanjani has unveiled an interesting security hole in the Safari Web browser. Perhaps even more interesting is Apple's somewhat nonchalant response to the issue. According to Dhanjani, the problem stems from the fact that Safari downloads and saves resources to the local file system without asking the user's permission. He believes this could be exploited by a malicious site, resulting in malware downloaded to the user's computer without their consent.

Dhanjani, who first revealed the issue to Apple privately, suggested that that the company incorporate an option in the browser that would prompt the user before downloading anything at all to their hard drive. Although they were in agreement that his suggestion was a good one, Apple does not seem to be in a hurry to implement it. "We can file that as an enhancement request for the Safari team," the Apple security team told Dhanjani. "Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated." These are disturbing words considering that anyone possessing basic HTML and CGI programming skills coupled with bad intentions could easily use this flaw to their advantage.

Another vulnerability Dhanjani reported to Apple was taken a bit more seriously. He claims to have the ability to exploit Safari to remotely steal local files from a user's computer. Scary stuff indeed. Details of this one were kept private and Apple is actively working on a patch. Both of these issues affect Safari versions for OS X as well as Windows.