Safari Carpet Bomb
When you’re writing a web browser, every bug should be considered a security issue. Even if the bug seems simple and inconsequential, chances are someone will try to exploit it to harm users. Nitesh Dhanjani over at ONLamp has a post about three different bugs he has found in Apple’s Safari web browser. Now, to be clear, I’m not deriding Apple for having bugs in Safari. These types of programs are very complicated and never bug free. What I find troubling is their response to the submission. Nitesh says that he submitted all three bugs that he found to Apple, and they responded by saying that they don’t consider two of the bugs a security related issue at this time. I must object loudly to this. Here is the bug:
It is possible for a rogue website to litter the user’s Desktop (Windows) or Downloads directory (~/Downloads/ in OSX). This can happen because the Safari browser cannot be configured to obtain the user’s permission before it downloads a resource. Safari downloads the resource without the user’s consent and places it in a default location (unless changed).
That means that any website can download anything and the user isn’t even notified or asked. How is this not a security issue? A large amount of malware relies on getting an executable onto a machine, and then convincing a user to run on it. How about dropping a worm named Safari.exe, or Word.exe onto someone’s desktop, and the next time they go to open it they infect their machine. Nitesh demonstrates this bug by littering the users desktop with tons of unwanted files. While this is annoying, it’s fairly pointless and obvious. If you think like an attacker for a minute you can come up with more sneaky and nefarious ways to use this hole. I can’t seem to understand why Apple’s security team doesn’t recognize this as a security concern. I mean, it’s sort of their job to look at every bug and see how it can be exploited to cause harm. Nitesh also wanted to congratulate the team on their communication:
Before I get to the details, I want to make it extremely clear that the Apple security team has been a pleasure to communicate with. I sent them a couple of emails asking for clarifications, and they responded quickly and courteously every time
That’s wonderful that they’re talkative, but shouldn’t it bother you that they are dangerously wrong?