Details emerge of Safari “carpet bomb” flawJune 16, 2008 – 5:51 AM
The vulnerability known as the Safari carpet bomb has still not been fixed, despite Microsoft releasing a security update for Internet Explorer last Tuesday evening. The consensus is that Microsoft’s browser is the main cause of the problem, which can create a security hole in combination with Apple’s Safari.
When Internet Explorer starts up, it searches for DLLs not only in the windows system folders where they are expected to be stored, but also on the desktop. Unfortunately, it also searches the desktop first when it is launched via the desktop shortcut, regardless of whether the SafeDllSearchMode function is activated.
This, in combination with Safari’s much criticised behaviour of downloading files directly to the desktop without asking, creates the security problem. If a crafted DLL makes its way onto the desktop while a user surfs with Apple’s browser, it could cause a system infection if Internet Explorer is subsequently started. According to reports, the unusual DLL loading process occurs in Internet Explorer 6, 7, and the forthcoming version 8 under both XP and Vista.
Security specialist Liu Die Yu has released the code of a demo exploit, which causes Notepad to open when Internet Explorer is started. He also provides a proof of concept page, which saves a file named
schannel.dll to the desktop when visited with Safari. Normally, this library contains the functions for secure communication via SSL/TLS.
Since there are currently not many Windows users browsing the web with Safari, the problem is relatively limited in scale. Affected users should follow Microsoft’s advice and define a separate download folder for Safari (Edit/Settings/Save downloads in). Firefox also saves downloaded files to the desktop by default but it asks the user beforehand.