Web Browsers
  1. Home
  2. Computing & Technology
  3. Web Browsers
Scott Orgera
Scott's Web Browsers Blog

By Scott Orgera, About.com Guide to Web Browsers

Safari Carpet Bomb Finally Fixed

Tuesday June 24, 2008

A security flaw in the Safari browser, first revealed last month by researcher Nitesh Dhanjani, gave hackers the ability to download files to a user's desktop without their permission. Initially the severity of the issue was not given much credence by Apple's security team. The company's reaction at the time was surprising, since a little ingenuity and some basic programming skills could allow someone to exploit this flaw in a very dangerous manner. Things got a little dicier two weeks later, however, as Microsoft warned Windows users that this "carpet bomb" vulnerability could be a lot more serious than most experts originally thought. According to the creators of Internet Explorer, a blended attack involving the Safari flaw along with the way the Windows desktop handles executable files could result in arbitrary code execution. These new details sparked a heated debate at the time as to where the fault lied. Is it Microsoft's problem or should Apple be the one to release a fix?

It appears that Apple has stepped up to the plate with Safari 3.1.2 for Windows, which addresses a few security related issues including the now-infamous carpet bomb. The flaw was corrected with a two-fold approach. First, Safari now prompts the user prior to saving any downloaded file. Second, the browser's default download location has been moved away from the desktop. Another security vulnerability patched in 3.1.2 involves a rather unique situation in which visiting a malicious website which is located in a trusted Internet Explorer zone could lead to arbitrary code being launched automatically. The problem was that Safari would automatically launch executable files that were in one of IE's trusted zones. This is not the case with the latest update, as the browser no longer launches downloaded executables without some type of user interaction. Also fixed was Safari's validation of BMP and GIF images which, if exploited correctly, could have led to the unwanted disclosure of memory contents.

Safari 3.1.2, available for Windows only, can be downloaded and installed via Apple's Software Update or directly from their site. Users are encouraged to upgrade to this version immediately.

(Photo © trebuchet - #12897161/stockxpert)

Comments

No comments yet. Leave a Comment

Leave a Comment

Line and paragraph breaks are automatic. Some HTML allowed: <a href="" title="">, <b>, <i>, <strike>

Explore Web Browsers
About.com Special Features

The Best Web Trends of the Decade

A look back at the best innovations, ideas and technologies over the last 10 years, More >

Family Tech Center

Stay connected and entertained with reviews on tips on the latest HDTVs, cellphones and more. More >

Web Browsers
  1. Home
  2. Computing & Technology
  3. Web Browsers

©2010 About.com, a part of The New York Times Company.

All rights reserved.