Safari users are at risk of littering their desktops with malicious software because the browser does not ask for user permission when downloading files in the way that Firefox and Internet Explorer do, a security researcher said Thursday.
In a blog post titled "Safari Carpet Bomb," Nitesh Dhanjani describes how a rogue Web site can easily download resources to the Windows desktop or downloads directory on the Mac.
"Apple does not feel this is an issue they want to tackle at this time," he writes.
An Apple representative told Dhanjani that an "enhancement request" for an "Ask me before downloading anything" preference would be filed with the Safari team. "Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads," the Apple representative wrote in an e-mail to Dhanjani.
That issue, coupled with the fact that Safari doesn't warn users when a local resource, such as an HTML file, attempts to invoke client-side scripting, creates a risky situation for most browser users, Dhanjani said in an interview. "People are starting to expect more from browsers today," he said.
The Apple representative told him that the company has been "investigating the potential for a 'safe' mode for local HTML."
Meanwhile, Apple does plan to fix a high-risk security vulnerability that Dhanjani discovered. It could be used to remotely steal local files from a user's file system.
An Apple spokesman did not return a phone call and e-mail seeking comment.
"Since Safari does not know how to render content-type of blah/blah, it will automatically start downloading carpet_bomb.cgi every time it is served. If you are using Safari in Windows, this is what will happen to your desktop once you visit http://malicious.example.com/," Dhanjani writes in explaining this screenshot. (Credit: Nitesh Dhanjani)
Leave a comment