Stopthebadware.org and Zdnet said that the so called “Carpet Bombing” attack was a flaw that Apple needed to fix ASAP. I also called on Apple to fix this flaw ASAP before an exploit appeared. But now it’s too late. Infoworld is now reporting that code that exploits this flaw is in the wild. It affects Windows only (Mac users can rest easy….for now), but that doesn’t change the fact that this is serious.
Apple could have avoided this by simply fixing this flaw when it first appeared, but it chose not to because they didn’t consider this to be an issue. That forced Microsoft to tell it’s users not to use Safari (which now seems to be the right decision). Although I will note that this exploit takes advantage of a bug in Windows that Microsoft has known about since 2006. You have to wonder if Apple takes security seriously given their response to this issue.
UPDATE: Here’s a layman’s explanation of why this is an issue. There are actually two problems at work here:
- Safari will automatically download files from a specially crafted malicious web page (as there are plenty of those out there) with no user intervention required (rather than ask for permission before downloading).
- Certain files will be run automatically by Windows when number 1 happens (this is the Microsoft bug that I referred to earlier).
While both of these are bad, the worst offender is item number 1. Because even if Windows did not run files automatically the possibility still exists that you could have something nasty called “deletemyharddrive.exe” download to the computer and an unaware user will still click it and get into trouble. Therefore, if Apple simply had an option that had the browser ask the user if it was okay to download something, and that option was turned on by default, this could be mitigated.