Apple finally updates its Safari browser to fix carpet-bombing vulnerability
Apple updates Safari browser for Windows with four security patches
June 19, 2008
Today, June 19, 2008, Apple Inc. released four security patches to fix critical vulnerabilities in its Safari browser. One of those fixes was for what has become known as the "Safari carpet-bombing exploit," which Apple had previously discounted as a feature, not a security vulnerability. This is a condition allowed by the unpatched Safari browser that allowed unacknowledged downloading of multiple executable files to a user's desktop. These files could in turn interact with Windows in a special way that would actually launch the setup routines for malware applications - downloaded to your desktop, without your knowledge or explicit permission.
The danger lies in the fact that a user typically has a browser opened to a large size on their desktop, along with other application windows, obscuring the desktop from view. If that browser is an unpatched version of Apple's Safari browser and the user is either enticed, or invisibly redirected to a hostile download site, the malware setup files will be silently downloaded to that user's desktop, where they may be executed by Windows, before the user is even aware they were downloaded. This could lead to instant system takeover, where the malware would run with the same privileges as the logged in user.
The Safari update is only for Windows users, not Mac OSX versions. Version 3.1.2 of Safari for Windows can be downloaded and installed from Apple Downloads.
Carpet bombing attack
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-2540, a vulnerability in how Windows desktop handles executable files. Apple explains: "Saving an untrusted file to the Windows desktop may trigger the issue, and lead to the execution of arbitrary code. Web browsers are a means by which files may be saved to the desktop. To help mitigate this issue, the Safari browser has been updated to prompt the user prior to saving a download file. Also, the default download location is changed to the user's Downloads folder on Windows Vista, and to the user's Documents folder on Windows XP."
Internet Explorer 7
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-2306 which is an Internet Explorer 7 vulnerability. Apple explains: "If a Web site is in an Internet Explorer 7 zone with the 'Launching applications and unsafe files' setting set to 'Enable,' or if a Web site is in the Internet Explorer 6 'Local intranet' or 'Trusted sites' zone, Safari will automatically launch executable files that are downloaded from the site. This update addresses the issue by not automatically launching downloaded executable files, and by prompting the user before downloading a file if the 'always prompt' setting is enabled."
BMP or GIF image memory error
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-1573, an out-of-bounds memory read vulnerability. The error may occur in the handling of BMP and GIF images, which may lead to the disclosure of memory contents.
WebKit Javascript array
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-2307, which is a memory corruption vulnerability. An error exists in WebKit's handling of JavaScript arrays, so visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
If you currently have Safari browser installed on your computer you should update it immediately, whether you use it regularly or not.
The reason Windows would launch these executables downloaded to your desktop is because the "Windows Desktop" is actually the system file named "Explorer.exe" and it is on the "path" for launching setup files as they are downloaded, or opened from a CD, DVD, or thumbdrive. This has now been corrected by both Microsoft and Apple, with this month's updates.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.