Neowin.net

1) why UAC doesn't prompt?

The user desktop does not need special permissions

2) what is the safari flaw?

downloading files without asking the user if he wants to download it

3) what is the windows "flaw"? (because it's not an ie7 flaw as stated wrongly)

windows will look for libraries that executables need in the PATH variable. If it finds a library (dll file) on the user desktop before it looks in the system32 folder it will use that dll instead of the original one. The malicious dll get's called by the application and can execute code in the same process as the trusted application (in this case ie7 is used, but it could be any executable that is widespread and uses dynamic libraries)

-----

solutions

1) UAC works as expected
2) change the download folder of safari to a directory that is not in the PATH variable
3) by design in the windows OS (not ie7 as wrongly stated)

----

responses from the companies

apple: we don't care
microsoft: by design, if someone can acces the directories specified in the PATH variable the computer already has been compromised. Change the download folder of safari until apple fixes the flaw

---

my opinion: apple's fault, a browser should never download files without asking first

XerXis,

The default download location for Firefox is "Desktop" as well. Perhaps IE does, I don't know. Is the location "Desktop" inherently insecure? Or is it just the fact that it doesn't (apparently) ask?

imho it's not the default location that is the problem, i download to my desktop a lot, it's convenient. The problem is the default safari configuration that allows websites to download files without prompting. Which, again imho, is a grave error.

One can argue about the mechanism in which windows loads dynamic libraries and to be honest, i don't think windows should look for dll's anywhere else than in the directory where the executable resides or the system32 directory. But I wouldn't call it a major flaw in windows (and certainly not in ie7). I think the quickest and nicest solution to the problem is changing the default safari settings to make sure files can't be downloaded without user consent.

edit: afaik linux also looks for libraries in the same manner as windows (by traversing to the PATH directories) and would be equally vulnerable if the user desktop would be in the PATH variable. But I think markjensen knows more about that

edit2: on a normal vista installation the PATH variable doesn't contain the user desktop, placing the dll on the desktop has no effect whatsoever

Last edited by XerXis on 10 Jun 2008 - 13:03

Ya, no... For it happen without Safari would require another 'malicious' piece of software that could download files to the computer without marking them as 'blocked', as is the standard on Windows. Safari bypasses the Windows security measures and writes files directly without any blocked flag.

As for the UAC, as long as Safari is downloading the files to the USER'S folder, then it would have permission to do so, since these are USER level access files.

IE on the otherhand on Vista isn't even allowed to run at user level, and even if the blocked flag could be circumvented, IE can't access another process or even write to user file areas without specific permissions.

All the Apple defending doesn't help.

This is a security flaw, should NEVER be allowed in the first place, and secondly Safari as bug infested as it has been shown isn't holding up well to other basic spoofs and malicious attempts, from day one of its release it looked like a beginner trying out a browser, not something from a company like Apple. (Most of the code should have ported pretty easily, so we can assume many of the flaws exist on OS X as well.)

Additionally, Safari should respect the OS security model, and mark the files as blocked since they are coming from untrusted sources. There is a reason why people have digital signatures, and files are signed and unsigned content gets a block flag. It is a good practice, and even if not Safari should respect the OS and not circumvent its security processes.

If Microsoft made Word for Mac to allow unmonitored downloads and opened tons of exploits, Mac users would scream pretty freaking loud, as they should.



So shame on Apple, and don't use safari on Windows unless you are testing web sites for your own development purposes. PERIOD.



Sadly, right now the most secure way to browse the internet is with Vista and IE running as default in protected mode. Even the latest RC from Firefox 3 has some serious flaws that let 'web sites' shove the browser to pop the DEP, and you are safe as long as DEP is enabled on your system, as it will kill the browser. However some users turn it off, and it doesn't run for every process on non DEP enabled processors as DEP is software emulated on these computers.

(Firefox testers, make sure DEP is enabled on Windows, trust me on this, there are a few exploits already floating around for last weeks release.)

Thanks. I was wondering, because your post mentioned both the location and the download that didn't require an "OK" as problems. I agree with you that the location should not really be an issue - all browsers probably have desktop as default, and most users I know set it that way, even if it isn't default. (I, myself abhor desktop clutter)

In Linux, as you mentioned, I suppose the equivalent would be one browser that downloads files into firefox's 'plugins' directory in the user account (obviously this would not work for system-wide in Linux, just as UAC or other account permissions would forbid this system change in Windows). Then, when you start firefox, it would have the specially-named plugin installed. I don't know of any app in Linux that looks to "desktop" for plugins/libraries, but I would consider any app that did so to be not well-written, regardless of platform.

no you misunderstood me I think, it has nothing to do with plugins. Let's take a commonly used linux library as example: libxml.so

Let's asume the user desktop is in you Path environment variable (or the linux variant of it) so that the OS looks for libraries on you user desktop. Neither vista nor linux have this as a default afaik. Now safari for linux (yes i know it doesn't exists) downloads a file called libxml.so to your desktop without asking and sets none of the security flags. Next you start a program that uses the libxml library, linux searches in its lib directories for the file, finds it on your user desktop and loads the malicious code.

That would be the linux equivalent and that's why I hesitate calling it a flaw, it's just how things work

Maybe you and I just differ on whether having a Desktop area (where users often drop all sorts of random crap, you know it's true) as part of the system path is a good idea. Like I said, many browsers default to that location, and where it doesn't default to it, many users set it that way.

If an app (or the OS) looks to "Desktop" for libraries, it is just plain wrong. Downloading without at least a box to confirm "open with... or save file" is wrong.

If Microsoft has "Desktop" as part of their normal system library path, then perhaps they ought to re-think that plan. After all you can't call every app to save to Desktop as insecure or wrong. And if Windows lets me save to the desktop, isn't it also wrong without UAC or some such alert? (who know, maybe Vista does alert if you save something from IE to Vista's desktop)

A stand-off between Microsoft and their unwise use of Desktop as a storage location for executables and Apple and their unwise choice in "silent" downloads by default doesn't benefit the consumer at all. I am sure we both agree on that. Safari can be fixed by changing a check-box. It is stupid of Apple to not change that default operation for all future versions. Then, when a user chooses to silent save, IE's poor choice (NOT changeable, by the way) to use the desktop to look for files will still leave a non-knowledgeable user vulnerable to this issue.

no we don't differ in that respect, looking on the desktop for libraries is a bad idea, and as far is known, neither linux or vista do it (can't say what xp does). So I completely agree with you, my bad if you got the wrong idea . If xp looks on the desktop for libraries I assume changing your Path environment variable would take care of that.

I don't think an UAC prompt should popup when I want to save a file to my own desktop, neither would i expect a sudo prompt when i save something in my /home/username on debian. I was only trying to explain the exploit and drawing some analogies between different OS's, don't take my posts as deffending or attacking apple, microsoft or linux.

No worries. I was just not understanding the direction you were going, so posted back my opinion and my attempt to explain by example.

SAFARI is like a TROJAN with the APPLE Branding.

FIX THE FLAW APPLE! MICROSOFT IS DOING THEIR PART. SO DO YOUR PART.

I am very glad that I use either Firefox or IE (mainly Firefox ) as my browsers!

As for Safari, Apple is still stuck in the old ways of "Security by Obscurity".
Apple takes this critical security matter so lightly.

I just hope that websites will take advantage of this flaw
and fill up the desktop with 1000 GB's of useless files on MacOSX,
let's see how Apple would change their mind
about the urgency of the Carpet Bomb Safari Security flaw!

Thanks to Safari, my computer is at HIGH RISK
getting BIG ISO Files getting downloaded to my PC.

No thanks to Safari.

Guys, don't use that crappy and dangerous Safari browser.
Apple doesn't care, so stick with Firefox, IE, or Opera.

H A H A H A
S A F A R I
S U C K S ! ! !
F I R E F O X
F T W !

Last edited by thenonhacker on 10 Jun 2008 - 13:25

Because IE is a part of windows, relies on DLLs like the rest and the desktop is part of the system PATH variable? oh and additionally, the dll name they chose isn't innocent, it's the TCP/IP TLS/SSL Security Provider



additionally, yea they need to partition system resources quite a bit more securely

Last edited by Arkos Reed on 10 Jun 2008 - 12:07

Same could be said about Safari not prompting you about downloading files without a warning

You can tick a checkbox on safari not to download automaticaly... But IE still executes a dll on you desktop LOL

Hence the

And why shouldn't it? Your desktop is an other folder on the system.

And this issue has nothing to do with IE. The example is given like that. It could be with Firefox or Word too, or any other Windows application.

Apple uses their install base and customer loyalty to kill any vulnerabilities or flaws. (Watch posts get deleted on their forums for an example)

Apple fans won't run to CNET or NBC and say, hey this is a piece of crap, look what it did. It takes a very serious flaw to get any press, and as for security, most Mac users wouldn't even know if they have malware or not.

I'm not saying there is a ton of crap for OS X, but when you compare a few million LOYAL users to one (1) Billion users that often have to use the OS at work or other places without choice, there is going to be a more non-loyal users, and a lot more voices to scream in the dark.

MS has been using this to their advantage, and their compilers and development processes have been vastly improved in just the last 7 years along, as they listen to the security, hackers, and vast base of users bitching. Right now in terms of development security processes and compiler technology, MS is ahead of the industry, especially in intelligent compiler technology that protects from most stupid or simple coding errors. (And even checks for malicious employee code) Most of these technologies and development cycles are beyond the much smaller Apple development team and processes.

But when Apple gets burned, which will happen and happen hard, they will have to play a bit of catch up. - Even if they are taking notes of technologies MS is pioneering in compiling technology and pulling these technologies back from both MS and Intel. (Hence why Apple NEEDS Intel and you won't see AMD Macs for a while.)

Some people seem to have missed the point. Internet Explorer is only being used in this example, it is not part of the problem. Any Windows application that uses DLL files could trigger the same vulnerability if there was a DLL file on the desktop that was named the same as one the application normally uses.

Although in my opinion, files in the System32 folder should take precedence over files in any other folder in the path statement, but thats just me.

Last edited by TCLN Ryster on 10 Jun 2008 - 14:53

Maybe they have this setup for performance sake? As I take it Windows looks for the dll in the folder the exe is being started from as that's the first PATH statement etc. Lots of apps have their own dlls that stay in their install folders that have nothing to do with System32 etc. I really don't see a problem with the way it's setup in Windows.

You start program1 so it checks for the dll in program1's folder, if it's not there it goes to System32 etc. In the end if system32 did take precedence it would load the secure original file BUT if the dll is using another name and isn't in system32 then Windows would just go back to the install folder in the end anyways wouldn't it?

The real problem here is that Safari is set by default to download without asking, something that shouldn't be that way.

+CelticWhisper gets my respect, because he is reasonable and has the best sense of judgement of all the Mac users I've encountered. Kudos to you dude!

You can safely know the WGA stuff is going away, far far away. The new Windows Management hates it as much as we do, that is why Vista's inherent WGA even less restricted than XP, and less control or DRM is always a good thing when it is not needed.

For quite a while the ONLY auto installs are security issues, and I hope MS has finally learned their freaking lesson with this crap. (Especially since it was designed to circumvent OEM and fake sofware sales, and just this week Microsoft issued orders to shut down several major companies selling pirated versions that bypass WGA.

(This is where I have hope for MS and getting away from the Ballmer mindset of business before users and gets back to when MS was seen as the good guys and had more the Gates mentality, where Gates blocked disk copy protection from DOS and Windows.)



Last edited by anthonyspt on 10 Jun 2008 - 14:29

Or more like

C: Rename the checkbox 'Automatically keep Safari and other Apple software up to date' to 'Don't install the bloody updater, PERIOD' if all the checkbox is doing is setting a flag to keep Safari updated or not.

It's not old news. The old news simply said that it was a problem. This is news of a POC exploit.

the exploit only works if the user desktop directory is included in the path environment variable so that windows looks for libraries in that directory. This is not a default setting so it won't work on a lot of computers

From what I can tell, Vista doesn't have the user's Desktop as the Path environment variable set so Vista is immune to the launching side of things. XP, however, does and seeing as the vocal minority here absolutely hates Vista and will only use XP, there are potentially a lot of users that this vulnerability affects.

Now, on Vista, this doesn't excuse Safari from automatically downloading a file (any file mind you) without the user's permission.

All running applications have "access to the internet"

Things that are downloaded by IE are properly flagged to be untrusted. Hence the extra popup you get when you launch an EXE downloaded by IE.

I mean if it actually makes use of it. That way if they really want internet connectivity, they would have to do it in another process, which would become tainted, and the main program could continue as normal. It would be a way of separating things so you could have more control to lock them down as well (like how UAC is supposed to "help").

It all sounds good until you look at networked software past a browser. So ya, in theory the OS could do this... But the model quickly fails for users fast.

Example: MMOs

Imagine if the OS was marking MMO updates as 'foreign' to the system and preventing their usage or a serious of confirmation dialogs after a patch?

Sure the OS could not mark these as foreign, but if there is a loophole in the security process, then it really isn't a security process.

Software should just adhere to the security of the OS, and if Safari wants to be a 'secure' or trusted piece of software, Apple has a lot of work to do.

Don't Excuse Apple.

I hope you'll be the the first Safari user to be victimized by the flaw and you will understand the sense of urgency Apple lacks.

APPLE SHOULD FIX THE SEVERE SECURITY FLAW. NOW.

I tried this "flaw" and it doesnt work...
I went to the site in Firefox
It prompted me about downloading a file (save or cancel)
I chose save - it didnt save to desktop
I copied the file from may SAVE folder to the desktop
I opened up IE7

I didnt get a notepad to come up

If you're running Vista, the desktop is not part of the $PATH normally, so it won't work.

You need to be running safari, not firefox.