Apple defuses Safari “Carpet Bomb”

June 20, 2008 – 7:59 AM

Apple has closed four security holes in the Windows version of its Safari browser with the release of version 3.1.2. The fixes include the browser’s “Carpet Bomb” behaviour of placing downloaded files on the desktop by default and without asking the user’s permission. In association with with Internet Explorer – which, unlike other applications, looks for DLLs on the desktop as well as in the system folders – this behaviour can present a security hazard.

Apple didn’t originally consider the behaviour of its browser to be a problem, but seems to have been forced into action by public discussion. Safari now asks users where to save a downloaded file. In addition, the browser now suggests a dedicated download folder by default. It is unknown whether Microsoft will release a patch to stop Internet Explorer’s strange library detection habits.

Apple has also fixed a flaw in WebKit which could potentially crash the browser when a page containing malformed JavaScript arrays is visited. Apple’s report states that this flaw also allows arbitrary code to be injected an executed. In addition, Safari automatically executes downloaded executable files if the required zone settings were made in Internet Explorer 6 or 7. No details are available about the exact connection between Safari and the Internet Explorer zones. It appears that Safari accesses or imports these settings, but there is no way of enabling or disabling them in Safari. The update also irons out a memory problem in connection with BMP and GIF images which allows unauthorised access to memory.

The new version will be deployed using auto-update and is also available for manual download. However, not all internationalised versions of 3.1.2 are yet available.

Read the rest of the story…

You must be logged in to post a comment.