Recent reports have indicated that a vulnerability in the Mac OS X version of Safari first discovered in May 2008 has still yet to be addressed by Apple. The flaw was first discovered by security expert Nitesh Dhanjani, who found that Safari was vulnerable to a type of “carpet bomb” attack, in which malicious website code forces the browser to download a potentially unlimited number of files without approval.
On the Windows platform, it was shown that the carpet bomb could be combined with another type of attack in order to execute files downloaded to the user’s computer in this manner.
It is thought that, because there was no known way to do this in Mac OS X at the time, Apple simply left the OS X version of Safari as-is even after patching Safari for Windows.
At the time, members of the Apple security team told Dhanjani via e-mail that they would look at adding an “Ask me before downloading anything” option to the browser, but two years later, the option still hasn’t been added, and the vulnerability still exists. Dhanjani speculates that this is because Apple values usability over security.
”Apple wants to make everything so seamless that they don’t want the user to go through this extra process,” he says. So, for the moment, it’s still possible for malicious websites to place any type of file they want on the hard drive of users of Safari for Mac OS X.
Related posts:
- Another Security Vulnerability Discovered in Safari
- Mac Security Updates for Safari and Chrome
- Pwn2Own 2010: Safari Under Attack
- Apples Addresses Security Vulnerabilities on Safari 4.0.5 for Windows and Mac
- Java Security Updates for Mac OS X
