carpet bombing safari users?
How'd I miss this one? Apparently there's a design flaw in Windows Safari that allows a website to "carpet bomb" the user with a large number of automatic downloads of executable files to the desktop. Microsoft is threatening to take action after Apple claimed it was not a security issue. I like Paul Thurrot's take on it:
Microsoft recommends a workaround while it works on a solution: Reconfigure the default location where Safari downloads content to the local drive, as doing so will prevent the flaw from being exploited. I have a more elegant solution: Simply avoid Safari all together and use a browser that's written by developers who understand the security nuances of Windows better. I recommend Mozilla Firefox, but Internet Explorer 7 is acceptable as well.How Apple can say that this is acceptable behavior for a browser is beyond me and should cause real concern for Safari users on any platform.
reactions, thoughts, comments, etc.
Did Apple actually say that it was acceptable, or did they simply say it wasn't a security issue?
I seem to recall, for instance, Mozilla folks stating that something that crashes the browser without evidence of memory corruption and doesn't prevent restarts is not a security issue. I'm sure someone would spin that to say, "Mozilla says crashing is acceptable," but it obviously wasn't what they meant.
Posted by: Kelson | June 2, 2008 11:32 AM
Kelson, they said it was a feature request and that they may or may not fix it. That's calling the current behavior acceptable.
Posted by: Asa Dotzler | June 2, 2008 11:36 AM
I'm not worried about Safari on OS X at all. Apple is not a cross platform company - it knows OS X extremely well and Windows poorly. I typically use Fx on OS X but I'm still using Safari once in a while.
Isn't Mozilla's mission statement about promoting choice - not squashing competition?
Posted by: Ephilei | June 2, 2008 12:18 PM
Ephilei, according to the original article, this issue affects OS X as well. It's just not as apparent since Safari doesn't download to the desktop there. I'm not sure if people appreciate a their Mac's Downloads folder being filled with crap. Moreover, if someone finds a leak allowing for the execution of the files on OS X, the same issues arise. It may be because I'm a Firefox user, but I think the Safari developers need to take security more seriously, on any platform.
Posted by: Tim | June 2, 2008 2:02 PM
They probably don't consider it a major security issue because in Leopard downloaded files are flagged as such, and show a special warning to the user when they are about to be executed.
How this is not a critical error on any other system, including Mac OS X Tiger, is something I cannot conceive.
Posted by: Jorge | June 2, 2008 2:54 PM
Then they could always implement the system Microsoft have on NTFS drives, setting a flag in the ADS that causes Windows to prompt about downloaded files -- I believe Firefox copies that behaviour. (I should probably go bug Opera to implement it too...)
Not that it would really stop the kind of people they're worried about executing such files.
Posted by: BtEO | June 2, 2008 3:39 PM
[QUOTE]Apple is not a cross platform company - it knows OS X extremely well and Windows poorly.[END QUOTE]
Actually, it is. Apple makes its own operating system, but it makes more than one product that in fact are cross platform - both software and hardware, iTunes and iPod being the prime examples.
There is also no case to be made that Apple knows Windows any worse than any other company, except for Microsoft. Apple knows as much about Windows as Mozilla does, and as Opera does.
Posted by: deaniac83 | June 3, 2008 2:00 AM
deaniac, if Apple believes, as they've said, that it's OK to let a website carpet bomb the desktop with an arbitrary number of executable files, it can fairly be said that they don't understand Windows very well.
Also, all of their apps on Windows, QuickTime, iTunes, and Safari (all built on the horrible QuickTime toolkit) are worse than Java apps for OS integration.
- A
Posted by: Asa Dotzler | June 3, 2008 6:51 AM