Apple dismisses Safari download issue

Is it a security hole or not?

By Matthew Broersma, Techworld | Techworld
Published: 12:30 GMT, 16 May 08

A security researcher has published a demonstration exploit that takes advantage of the download mechanism in Apple's Safari browser to automatically download files onto a user's system.

Nevertheless, Apple said it does not consider the issue a security vulnerability, according to Nitesh Dhanjani, a researcher who currently leads application security efforts at professional services company Ernst & Young.

Enterprises have begun paying closer attention to Safari in recent weeks because of a rise in the browser's market share on Windows. Safari is the built-in browser on Mac OS X.

The problem arises "because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource," Dhanjani said in a recent blog post.

He published a sample cgi script that automatically downloads large numbers of files to Safari's default download directory. "The implication of this is obvious: Malware downloaded to the user's desktop without the user's consent," Dhanjani said.

Apple told Dhanjani it did not consider the issue a security problem, but would consider the ability to warn before downloading content as a feature enhancement.

"Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads," Apple said in an email quoted by Dhanjani. "This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated."

A second problem is that Safari doesn't warn when local resources such as HTML files attempt ot invoke client-side scripting, which could be a problem in part because Internet Explorer does warn in such cases, Dhanjani said.

"I feel this is an important security feature because of user expectations: even the most sophisticated users differentiate between the risk of clicking on an executable they have downloaded (risk perceived to be higher) to clicking on a HTML file they have downloaded (risk perceived to be lower)," he wrote.

Apple responded to Dhanjani that it would investigate the matter as a security hardening measure but that it would take "a fairly deep investigation to address compatibility issues."

What are your views on this subject? Use the form below to post a comment on this article up to 500 characters.

Characters remaining: 500

Add your commentComments

Accountants are the computing experts - interestin | Published: 18:14 GMT, 19 May 2008

Well, give'm break ... who downloads binary executable stuff in to UNIX box ? I guess guys in E&Y do but even so who can run them ? and who owns them ? One needs to understand UNIXes .... God Bless Microsoft

GaryM | Published: 15:03 GMT, 17 May 2008

Remember, this is about Safari on both Windows and OS X. I think none of this is an issue on the OS X side for the reasons stated. However, on the Windows side there may be some point in providing these 'enhancements'.

Jim | Published: 23:40 GMT, 16 May 2008

This is a crock. Just someone trying to compare what IE does and Safari doesn't, then use that to justify a weakness in Safari. Please, ask the user, me, if we are so retarded we need something to ask us when we download. I never want to see Safari become a bloated piece of crap that IE has become.

BobAB | Published: 17:50 GMT, 16 May 2008

In OSX, downloaded files does not execute automatically and like another said, it does warn you when you first launch the downloaded app and also if the app does any system installs, OSX will require you to enter an admin password. Really, it's overkill to add more to this.

BS | Published: 17:15 GMT, 16 May 2008

Try downloading a file in Safari and then launching it. Yes, you can download it, but you do get a warning the first time you launch it! What's the problem here?

Yes, a simple preference click will change this | Published: 15:51 GMT, 16 May 2008

Otherwise, if you go to the same trusted sites like a lot of users, you are OK with that on. Also, if your download window fills up, or you notice a lot of dowloaded files on on your desktop, etc... then just go to the downloads window and delete them. It's not as if this makes Safari even as remotely insecure as Outlook, or I.E. or Windows. I think the 'security' (PC) crowd is just trying to do something, anything to curtail Apple's vastly growing influence. It's a little too late for

Dru Richman | Published: 15:26 GMT, 16 May 2008

If you uncheck the 'open Safe files after download' box in Safari's preferences, it would appear that that would curtail this issue.

Related Applications news

Microsoft Office 2010 beta available for download

Developers can get hands on software preview

19 November 2009

Microsoft reveals Silverlight update plans

Version 4 to beef up out of browser application support

Microsoft beta to shake up directory services

Developers to bake access control into applications

Salesforce launches own social networking app

Chatter could be 'Facebook for the enterprise'.

Related Applications reviews

Microsoft Office 2010 beta

Akvis ArtSuite 5.0 review

PeerBlock review

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Database security: Preventing enterprise data leaks at the source

IDC discusses the growing internal threats to business information, the impact of government regulations on the protection of data, and how enterprises must adopt database security best practices...

Download Whitepaper

Service-oriented security

SOA has become an integral part of enterprise software by providing a framework to efficiently develop software as services that is easily sharable, reusable, and integrated. No where is the need more apparent than in the Identity Management space. Welcome to the age of Service-Oriented Security (SOS).

Download Whitepaper

Data protection prospective vendor checklist

Organisations need a way to map business needs against all these challenges in procuring a technical solution. To help, SANS has developed the following Prospective Vendor Checklist.

Download Whitepaper

Unlock the power of the mainframe

This whitepaper presents the notion of CICS as an integration hub based on a component-based, service-oriented architecture supporting Web services. Highlights will review the challenges and contrasted support for Web services natively in CICS.

Download Whitepaper

Techworld UK - Technology - Business

COLT White Paper

Are all VoIP services the same?

Questions to ask your service provider to ensure you get the VoIP service you need
With careful choice of partner, your business can have all the advantages of VoIP access - reduced costs, flexibility and simplicity - without the drawbacks.
This white paper is your guide to ensure you get right the VoIP service and details the pitfalls which businesses would do well to avoid.

Download white paper
BMC

Ride the express lane in the journey to speed ITIL adoption

Explore the challenges in making the journey to ITIL and the criteria for selecting consulting services
By following ITIL practices, your IT organisation will become more closely integrated with the business. We recommend making the journey to ITIL in a sequence of six incremental steps, the phases of which are driven through execution of a strategic transformational roadmap.

Download white paper

Webcast: IT Financial Management: Cost Optimisation for Efficiency and Agility.
On Demand Webcast
Join this webcast to learn about the techniques and technologies that can help you prove the value of IT to the business by understanding the true cost of today's IT services and those that will be necessary to deliver future success.

Register Today

Site Map

IDG Network

* *