Nitesh Dhanjani has disclosed around middle of last month a vulnerability in Safari (and the way it interacts with Windows and OSX) that allows a remote malicious user to download several files unknowingly to the user’s default download folder (Desktop for Windows and Downloads for OSX). The attack has been dubbed carpet bombing because of its potential to plant multiple malicious files that can in turn obliterate the user’s PC into a digital mess.
The security researcher has been able to show that Safari doesn’t ask for user permission when downloading resources. He set up a sample malicious Web site that served malicious iFrames. He accessed the site using Safari and found that the browser automatically downloads the files multiple times (hence, carpet bombing), storing copies of these in said folders without first waiting for user commands or showing some dialog box informing the user of what is happening. The report includes a screenshot of the potential danger the automatic download action can cause.
Apple is treating this reported vulnerability not as a security issue, but as another avenue to create an additional enhancement to prevent unwanted downloads.
On May 30, Microsoft issues a security advisory that recommends users avoid using Safari until researchers have looked into the browser, and until appropriate updates are provided by either Microsoft or Apple. For ardent observers of the MS-Apple rivalry, it is easy to speculate about the motives behind such an advisory –but users should not lose sight of the real issue: that although this vulnerability exists in the POC realm, it might give hackers just the kind of scenario they might find useful in future attacks. Users are encouraged to change the download location of files by editing user preferences in Safari.