Two years after fixing a security bug in the Windows version of its Safari browser, Apple apparently has decided that Mac users can go without a fix.
Apple was initially unimpressed by Nitesh Dhanjani’s work developing what’s known as a “carpet bomb” attack, the security researcher said in an interview Monday. “I told Apple about it two years ago, and they responded back, saying it was more of an annoyance than anything else.”
That turned out to be the wrong assessment. Soon after Dhanjani went public with the flaw in May 2008, another security researcher showed how carpet bombing could be combined with another Windows attack to run unauthorized software on a Windows PC. Apple then shipped a fix for Safari on Windows, but not for Safari on Mac OS X.
Nobody has shown how to do this on the Mac OS X version of Safari, but Dhanjani still thinks Apple should fix the issue on both platforms.
In a carpet bomb attack, the victim visits a malicious Web site, which then starts downloading unauthorized files to the victim’s computer without any sort of approval.
“[W]hile most sane Web browsers warn the end user and ask for explicit permission before saving a file locally, Safari goes ahead and saves the file into the default download location without asking the user,” he said in a blog posting, “even if hundreds of files are served up by the malicious website simultaneously.”
Without conducting another attack, hackers still have no way to run the files on the victim’s computer, but these unauthorized downloads still represent a security risk, Dhanjani said. “In this day and age … the site shouldn’t be able to drop anything it wants into my downloads folder.”
Not everyone agrees, however. Noted Apple hacker Charlie Miller said that Dhanjani’s bug is not serious because there is no second Mac OS X bug that causes downloaded files to be executed. “So basically, a Web site can start to download a bunch of files to your Downloads directory. This isn’t an ideal situation, but then again, I don’t see a lot of harm that comes from it,” he said in an e-mail interview. “Especially, if the alternative is for the browser to nag me every time I want to download something.”
Dhanjani believes Apple hasn’t fixed the issue because it might annoy Mac users. “They’re going after usability,” he said. “Apple wants to make everything so seamless that they don’t want the user to have to go through this extra process.”
Apple did not immediately respond to a request for comment on this story. The company typically does not comment on security issues.
In a May 2008 e-mail message to Dhanjani, viewed by the IDG News Service, Apple’s security team said it would consider adding an “Ask me before downloading anything” preference to Safari. “This will require a review with the Human Interface team,” Apple told the researcher. “We want to set your expectations that this could take quite a while, if it ever gets incorporated.”
Read our full Safari 4.0.1 review