Safari Security Questioned; SBW Encourages Action

You may recall that StopBadware.org recently played a role in successfully encouraging Apple to improve its disclosure in pushing the Safari web browser to users through its Apple Software Update application. Now, Nitesh Dhanjani, a security researcher, writes about his recent interaction with Apple. Dhanjani alerted Apple to several potential issues that he discovered in the company’s web browser, Safari, most notably the potential for a “Safari Carpet Bomb.”

He writes that Safari “cannot be configured to obtain the user’s permission before it downloads a resource,” and provides this example:

Now assume that http://malicious.example.com/cgi-bin/carpet_bomb.cgi is the following:

#!/usr/bin/perl
print “Content-type: blah/blah\n\n”

Since Safari does not know how to render content-type of blah/blah, it will automatically start downloading carpet_bomb.cgi every time it is served."

CNET commented that files downloaded by Safari to the desktop on Windows, or the Downloads folder on Mac OS, create the potential for multiple files of unknown nature to mingle with legitimate downloads.

The Apple security team replied to Dhanjani’s emails courteously, but making it clear that this is not a security priority for the company:
bq. We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.

Assuming Nitesh’s analysis is accurate, “unwanted downloads,” as Apple calls them, represent a serious security threat to users, who can be easily tricked into executing a malicious file. StopBadware.org believes that users should have control over software being downloaded to their computers, and we encourage Apple to reconsider its stance and treat this as the security issue that it is.