A security researcher has published a demonstration exploit that takes advantage of the download mechanism in Apple's Safari browser to automatically download files onto a user's system.
Nevertheless, Apple said it does not consider the issue a security vulnerability, according to Nitesh Dhanjani, a researcher who currently leads application security efforts at professional services company Ernst & Young.
Enterprises have begun paying closer attention to Safari in recent weeks because of a rise in the browser's market share on Windows. Safari is the built-in browser on Mac OS X.
The problem arises "because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource," Dhanjani said in a recent blog post.
He published a sample cgi script that automatically downloads large numbers of files to Safari's default download directory. "The implication of this is obvious: Malware downloaded to the user's desktop without the user's consent," Dhanjani said.
Apple told Dhanjani it did not consider the issue a security problem, but would consider the ability to warn before downloading content as a feature enhancement.
"Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads," Apple said in an email quoted by Dhanjani. "This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated."
A second problem is that Safari doesn't warn when local resources such as HTML files attempt to invoke client-side scripting, which could be a problem in part because Internet Explorer does warn in such cases, Dhanjani said.
"I feel this is an important security feature because of user expectations: even the most sophisticated users differentiate between the risk of clicking on an executable they have downloaded (risk perceived to be higher) to clicking on a HTML file they have downloaded (risk perceived to be lower)," he wrote.
Apple responded to Dhanjani that it would investigate the matter as a security hardening measure but that it would take "a fairly deep investigation to address compatibility issues."
- Sponsored Resource:Learn about storing and securing your data before disaster strikes.
- Sponsored Resource:Learn more about ultra light notebooks from Asus and the best warranty in the industry.
- Sponsored Resource:How much processing power do you need? Intel can help you decide.
- Sponsored Resource:Thinking about a new Laptop? Lenovo has models to meet everyone's needs.
- Sponsored Resource:Get the truth about remanufactured ink. Learn more from HP.
- Sponsored Resource:Small budget, big impact. Create Brochures that pop with HP laser jets printers.
- Sponsored Resource:Six smart ways to grow small business IT
News For Your Business
- Diary of a Deliberately Spammed Housewife
- India Softens Stand on BlackBerrys
- Malware is Getting Smarter, F-Secure Warns
- Malware, Spam, and other Net Pests Rev Up
- Security Firm Reports Trojan Targets Macs
Community Comments