So Microsoft and Apple are sparing over a flaw in Safari. The flaw allows drive by downloads of files onto a user’s desktop from a malicious website. Apple is calling it a feature request for a convenience functionality or some such BS, because apparently they don’t think a third party being able to force files onto a user’s computer is a big deal. Microsoft very much disagrees, seeing it as a great way to deliver malware. It happens to be just that, but that would require a two stage attack (you do need to get it to execute) which is why Apple doesn’t care (in general I think it obvious that Apple doesn’t care about security).

Ah, that is an unimaginative attack though. If one is interested in harm to individuals it can be used by itself to cause trouble. Say some attacker happen to hate the smugness of safari users and want to get them in some legal hotwater. They control an offshore webserver and dump a bunch of kiddyporn.rar files in a publically accessible directory. They name will get it flagged by Google immediately, who will turn it over to the FBI (both google and MS routinely do so) for monitoring. The FBI can’t do anything about it being overseas but they can watch all US traffic that hits it so they can track down pedophiles domestically. The use of a .rar file was to make sure it was something that typically doesn’t have a mime handler associated with it, but is commonly used to distribute archives of data among warez sites and the such, so that safari would automatically download it. The attacker also posts a small web page with exploit code on it to trigger downloads in safari. They then go to a bunch of apple specific sites that allow community feedback and exploiting one of the myriad of XSS vulnerabilities likely to be on the site they inject a CSRF attack that sends a fraction of the visitors (so as to not send an abnormally high amount that would trigger the FBI’s scrutiny) invisibly to the exploit site.

Now the FBI has a whole host of people to start investigating, and even if the person is ultimately exonerated, it is going to cause them some headache. Granted this whole scheme is pretty convoluted and far fetched, and would need to be executed exceptionally well, but I use it to show that the execution of malware is not the sole concern here. Simply receiving data you did not request can be dangerous, and that makes this a vulnerability.

Also, any decent SDL would have caught this vulnerability quite a while ago, as it appears that it is by design. Hey Apple, maybe you might want to start embracing the message you put across in those ridiculous commercials.

~ Joshbw