About us
Contact us
RSS
Newsletters
Blogs
Video
Follow us on Twitter
EVENTS
TOPIC AREAS
RESOURCE CENTRE
News
16 May 2008
Apple dismisses Safari download issue
A security researcher has published a demonstration exploit that takes advantage of the download mechanism in Apple's Safari browser to automatically download files onto a user's system.
Nevertheless, Apple said it does not consider the issue a security vulnerability, according to Nitesh Dhanjani, a researcher who currently leads application security efforts at professional services company Ernst & Young.
Enterprises have begun paying closer attention to Safari in recent weeks because of a rise in the browser's market share on Windows. Safari is the built-in browser on Mac OS X.
The problem arises "because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource," Dhanjani said in a recent blog post.
He published a sample cgi script that automatically downloads large numbers of files to Safari's default download directory. "The implication of this is obvious: Malware downloaded to the user's desktop without the user's consent," Dhanjani said.
Apple told Dhanjani it did not consider the issue a security problem, but would consider the ability to warn before downloading content as a feature enhancement.
"Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads," Apple said in an email quoted by Dhanjani. "This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated."
A second problem is that Safari doesn't warn when local resources such as HTML files attempt ot invoke client-side scripting, which could be a problem in part because Internet Explorer does warn in such cases, Dhanjani said.
"I feel this is an important security feature because of user expectations: even the most sophisticated users differentiate between the risk of clicking on an executable they have downloaded (risk perceived to be higher) to clicking on a HTML file they have downloaded (risk perceived to be lower)," he wrote.
Apple responded to Dhanjani that it would investigate the matter as a security hardening measure but that it would take "a fairly deep investigation to address compatibility issues."
Follow highlights from Techworld on Twitter
Stay Informed > Subscribe to our Newsletters
The UK IT News widget Get it for your site!
<<newer article | back to index | older article>>
close
close
Email this article to a friend or colleague:
PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.
close
- This article is now being printed.
close
What are your views on this subject? Use the form below to post a comment on this article up to 1000 characters.
close
What is this?
Click below to add 'Apple dismisses Safari download issue' to your blog.
If you do not have a ComputerworldUK Account and would like to use this feature, please Register.
If you are a registered, logged-in user, this will post the title and first paragraph of this story to your blog to share with your readers.
Recent Techworld features
- Can Linux distros survive Chrome OS?
- Will Chrome force a rethink on Windows?
- Vendors start making progress towards cloud communication
- Unified communications arena gets more crowded
- Say 'No' to SQL
Recent Techworld reviews
- Office 2010 (Preview)
- AutoSave Encrypt
- VSS Monitoring 4x24 Distributed Filter Tap
- LG XD1 eSATA drive
- Asterisk 1.4
Latest PC Advisor news
- How to get the right updates to protect your PC
- Microsoft, Yahoo deal imminent
- Microsoft shock drops Windows 7 discount
- PC Advisor September 2009 cover disc - Kaspersky
- Apple needs netbook quick warns IDC
WHITE PAPERS
- Seven Ways ITIL Can Help You in an Economic Downturn
Learn more about how ITIL can help your business weather the economic storm, and how it can leave you better positioned for growth when the economy begins to rebound. - Modernizing IT: Strategies for Improving Service Quality and Reducing IT Costs
Working harder simply won’t get you there. No matter how many people you allocate, sinking more labour into old IT practices cannot concurrently meet rising demands on IT and cut costs. Read about cost-effective, automated ways to meet this challenge head-on in this whitepaper. - Ten tips on security for your business
Security of your customer data and business information is vital, this guide covers the essential issues in an easy to understand straight-forward way. - Business Continuity - Are you always open for business?
Business continuity is not an end in itself, but the key to improving performance. Oracle solutions for midsize organisations contribute by providing a secure, easily accessible, and always available information infrastructure thats's also simple and cost-effective to manage. This Oracle Business Brief explains how. - A guide to understanding hosted and managed messaging
Messaging has become absolutely critical to the operation of most enterprises and has become something of a utility, much like electricity or water provision in certain key respects. Learn more with this Osterman research whitepaper.
Techworld topic pages
|
|
- About Techworld | Contact | Privacy Policy | About IDG | All contents © IDG 2009 | webmaster@techworld.com
- Infoworld | Networkworld | Tecchannel | Techworld Netherlands | IT World Canada
Comments received
Dru Richman said on Friday, 16 May 2008
If you uncheck the 'open Safe files after download' box in Safari's preferences, it would appear that that would curtail this issue.
Yes, a simple preference click will change this said on Friday, 16 May 2008
Otherwise, if you go to the same trusted sites like a lot of users, you are OK with that on. Also, if your download window fills up, or you notice a lot of dowloaded files on on your desktop, etc... then just go to the downloads window and delete them.
It's not as if this makes Safari even as remotely insecure as Outlook, or I.E. or Windows. I think the 'security' (PC) crowd is just trying to do something, anything to curtail Apple's vastly growing influence. It's a little too late for
BS said on Friday, 16 May 2008
Try downloading a file in Safari and then launching it. Yes, you can download it, but you do get a warning the first time you launch it! What's the problem here?
BobAB said on Friday, 16 May 2008
In OSX, downloaded files does not execute automatically and like another said, it does warn you when you first launch the downloaded app and also if the app does any system installs, OSX will require you to enter an admin password.
Really, it's overkill to add more to this.
Jim said on Friday, 16 May 2008
This is a crock. Just someone trying to compare what IE does and Safari doesn't, then use that to justify a weakness in Safari. Please, ask the user, me, if we are so retarded we need something to ask us when we download. I never want to see Safari become a bloated piece of crap that IE has become.
GaryM said on Saturday, 17 May 2008
Remember, this is about Safari on both Windows and OS X. I think none of this is an issue on the OS X side for the reasons stated. However, on the Windows side there may be some point in providing these 'enhancements'.
Accountants are the computing experts - interestin said on Monday, 19 May 2008
Well, give'm break ... who downloads binary executable stuff in to UNIX box ? I guess guys in E&Y do but even so who can run them ? and who owns them ? One needs to understand UNIXes .... God Bless Microsoft