Safari Carpet Bomb (Update)
I love being right. Remember the Safari carpet bomb I posted about back in April? Remember how Apple said it wasn’t a “security concern” and I scolded them for it? Well, now it’s got interesting. Apparently there is a known flaw in Internet Explorer that allows a website to execute any program on the user’s desktop without their consent. Normally, this flaw isn’t as much of a concern because all new executables downloaded (by anything but Safari) get marked with an alternate data stream tag that indicates that is from the Internet Zone. Any time an application with this tag is opened, the user is prompted and the action must be explicitly allowed. Now when we include Safari’s carpet bombing technique that downloads an exe without notification or ADS marking, then this IE flaw becomes a critical security concern. This is a great example of what is called a blended threat. Two seemingly innocuous bugs combine to create a gaping security hole. The IE team was not concerned with their bug because there was no way to get an unmarked exe onto the desktop without the user knowing, and the Safari team wasn’t concerned with their’s because you couldn’t execute the exes that it downloaded automatically.
So yeh, here’s the MS Security Advisory.