You�ve probably heard of the current problem with Safari running under Windows. It�s basically a trivial method to �carpet bomb� a users desktop (or other folder) with files.
Now, as far as I can tell, it�s not a way to actually execute code on a user�s system. It merely provides the ability to put tons of files on a system, which could then be executed.
However, according to the Nitesh Dhanjani, who discovered the exploit, Apple believes this is not an issue and won�t be fixing it.
�...the ability to have a preference to "Ask me before downloading anything" is a good suggestion. We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.� [Emphasis mine]
Nitesh goes to great pains to emphasize that Apple has been extremely responsive and a great pleasure to do deal with. And I have no doubt that they have been � Apple is comprised of a great deal of very nice, very smart people.
But maybe they don�t understand the Windows environment, in the broadest sense. They�ve shown they don�t understand the mores of Windows users, by forcing out security updates that include an unrelated application. And maybe they don�t understand our security environment. Perhaps life has been so pleasant in Apple Land that it�s like taking someone from the back-country and throwing them into the hardest areas of New York.
Anyone who has ever seen an infected spyware system knows what the desktop looks like: It�s a sea of icons providing shortcuts to various dubious sites. This method provides exactly that type of capability � a malware author can push all kinds of junk onto a desktop, saying �Click me for special savings!� and it could very well be malware.
But you�d have to have gone through that to understand how bad a �carpet bomb� can actually be. Perhaps Apple folks have been living in a bubble and simply haven�t seen this thing.
I hope this is fixed soon. Thankfully, Safari�s usage is still under 3%.
Alex Eckelberry
No comments:
Post a Comment