Apple fixes Safari 'carpet bomb' bug
Posted by Daniel Fleshbourne on 20 June 2008 - 12:00 · 17 comments & 6468 views
About the Author
Full name: Daniel Fleshbourne
Forum name: Daniel
Contact: via forum PM
Submissions: Normal · Headline
Full name: Daniel Fleshbourne
Forum name: Daniel
Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google- Advertisement
-
-
(7 replies)
#1 Posted by 
markjensen on 20 Jun 2008 - 13:09
- As I said on June 3rd:To be honest, neither bug was very serious on its own, from what the news item states. I guess the accolades for "customer focus" will go to whichever company fixes it first.
Looks like Apple patched their side (after claiming they would not - which I thought was stubbornly thick-headed of them). Glad they took the problem seriously.
I could not identify the specific item in the secunia listing, but I have not heard news of Microsoft fixing their half of the problem yet. -
#1.1 Posted by MioTheGreat on 20 Jun 2008 - 15:51
- I thought Microsoft's 'half of the problem' was just that Windows will search anywhere in your $PATH for libraries, and under XP, your desktop is part of your PATH....
Wouldn't 'fixing' that break things? -
#1.2 Posted by markjensen on 20 Jun 2008 - 15:56
- (MioTheGreat said @ #1.1)I thought Microsoft's 'half of the problem' was just that Windows will search anywhere in your $PATH for libraries, and under XP, your desktop is part of your PATH....No. "Desktop" is not part of the normal DLL path, as specified by Microsoft.
Wouldn't 'fixing' that break things?
http://msdn.microsoft.com/en-us/library/ms682586.aspx
It will only search "Desktop" for the few apps that are installed/shortcut(?) on the desktop, that leaves... ummm.. IE and Outlook, I believe. But only if started from the desktop, not the start menu, hotkey, or application link or such.
So, sometimes yes. Sometimes no. Sounds kind of broken to me already.
-
#1.3 Posted by MioTheGreat on 21 Jun 2008 - 04:20
- The same document you linked to says that Windows will search all of the stuff in your PATH last.
Under XP, isn't the desktop part of your PATH? -
#1.4 Posted by markjensen on 21 Jun 2008 - 13:08
- (MioTheGreat said @ #1.3)The same document you linked to says that Windows will search all of the stuff in your PATH last.It didn't explicitly say so, and I don't have Windows installed to verify. Would it show up in the command shell if you echo $PATH?
Under XP, isn't the desktop part of your PATH? -
#1.5 Posted by MioTheGreat on 21 Jun 2008 - 20:40
- (markjensen said @ #1.4)(MioTheGreat said @ #1.3)The same document you linked to says that Windows will search all of the stuff in your PATH last.It didn't explicitly say so, and I don't have Windows installed to verify. Would it show up in the command shell if you echo $PATH?
Under XP, isn't the desktop part of your PATH?
I believe so. -
#1.6 Posted by MioTheGreat on 22 Jun 2008 - 18:17
- (MioTheGreat said @ #1.5)(markjensen said @ #1.4)(MioTheGreat said @ #1.3)The same document you linked to says that Windows will search all of the stuff in your PATH last.It didn't explicitly say so, and I don't have Windows installed to verify. Would it show up in the command shell if you echo $PATH?
Under XP, isn't the desktop part of your PATH?
I believe so.
Ah, bits explained it. It's that the startup folder OVERRIDES the Path. -
#1.7 Posted by The_Decryptor on 23 Jun 2008 - 07:08
- (MioTheGreat said @ #1.6)...
Ah, bits explained it. It's that the startup folder OVERRIDES the Path.
The folder the shortcut resides in shouldn't be classified as the startup folder, the folder where the EXE resides in should be classified as startup folder.
IE (actually, any app) should look in it's own folder, system folders, etc., not just any random folder where people create a shortcut to it.
-
(2 replies)
#2 Posted by +TCLN Ryster on 20 Jun 2008 - 14:45
- ...could be exploited in tandem with other problems in Windows and Internet Explorer...
For heavens sake, it had NOTHING to do with Internet Explorer. Internet Explorer was just used to demonstrate the way that Windows uses the desktop amongst other folders to substitute DLLs used by any and all Windows software. They just used Internet Explorer to demonstrate it, Internet Explorer itself was not at fault. -
#2.1 Posted by markjensen on 20 Jun 2008 - 15:33
- (TCLN Ryster said @ #2)Actually, IE's behavior is directly at question here. http://isc.sans.org/diary.html?storyid=4562&rss...could be exploited in tandem with other problems in Windows and Internet Explorer...
For heavens sake, it had NOTHING to do with Internet Explorer. Internet Explorer was just used to demonstrate the way that Windows uses the desktop amongst other folders to substitute DLLs used by any and all Windows software. They just used Internet Explorer to demonstrate it, Internet Explorer itself was not at fault.Now, when we combine these two vulnerabilities you get the following – a user visits a malicious web site with Safari. The web site causes Safari to automatically download the DLL file and store it on the desktop. The user now needs to open Internet Explorer from Desktop in order to automatically execute the DLL file. Keep in mind that the shortcut to Internet Explorer has to be on Desktop so the PATH environmental variable gets properly defined (it will make Internet Explorer search current directory for the DLL file).The issue isn't how Windows as a whole operates, but how IE will use "Desktop" as part of the search path for executables when launched from the desktop. Anyone who has seen how a majority of people use their computers knows that the "desktop" is often a dumping ground for miscellaneous installs and downloads from various sources of unverified trust. For IE to use this to look for executables is not a bright idea. -
#2.2 Posted by bits on 21 Jun 2008 - 03:47
- All windows app's will search in their "start in" folder *then* $PATH. It does that to allow a program to use it's own libraries over the system installed ones. It helps prevent version mismatches if you supply all required dll's in the app's start in folder..
The start in folder is where you executed the app from (eg its home dir) or if a shortcut it'll include the folder the shortcut is in or if the start in folder is specified it'll use that aswell.
The Desktop is simply a folder, if you have a shortcut or any application application in that folder, the first thing it'll do is find dll's it can link to in that folder.
That's how Windows has worked for a very long time.
It's not an IE issue at all, that's just Windows. It's not a flaw, it's just something to be aware of(you also should not have any binary in this folder, it really is just for shortcuts!). The problem was 100% with Safari allowing unwanted code to be put on the harddrive and by default to a very stupid place.
Last edited by bits on 21 Jun 2008 - 03:52
-
#3 Posted by thealexweb on 20 Jun 2008 - 20:52
- I went to update my Apple Software and blow me it tried to offer me safari, i don't have it installed and i don't want it, shame on you Apple, up to your old tricks again.
-
(3 replies)
#4 Posted by JJ_ on 20 Jun 2008 - 22:48
- Apple are a complete joke, when the exploit surfaced they denied of its existence yet they release a patch.
-
#4.1 Posted by markjensen on 21 Jun 2008 - 02:31
- And Microsoft? Their item has been reported to them over a year ago, per the previous articles. And how long are customers going to have to wait for that patch? And your opinion on that is...?
-
#4.3 Posted by markjensen on 22 Jun 2008 - 12:49
- (RAID 0 said @ #4.2)^ Both companies have issues?And I agree. And so does Linux. And Opera. And Adobe.
Some people like to turn every patch into an "I hate ____" rant.
-
#5 Posted by franzon on 22 Jun 2008 - 08:07
- The security research Billy Rios mentioned on his blog that when Safari is used on a system that also has Firefox 2/3 installed, could lead to providing an attacker the opportunity to steal arbitrary files from the filesystem. Rios stated that he would not go into further details at this time, as the issue is not fixed by the current Safari patch; however, he did mention that Firefox 3 is vulnerable.
http://blogs.zdnet.com/security/?p=1319
Dhanjani showed how Safari could be misused to litter a victim's desktop with downloaded programs, but two weeks after he disclosed his research, another hacker, named Aviv Raff, showed that this flaw could be exploited in tandem with other problems in Windows and Internet Explorer to run unauthorized software on a victim's PC. That prompted Microsoft to issue its own warning about the issue. It also caused some security experts to caution Web surfers about using Safari on the Windows platform.