Bug or feature? Apple's Safari Web browser
Nitesh Dhanjani has discovered three flaws in Apple's Safari Web browser, though opinions differ concerning the severity of the vulnerabilities. One of the holes, which Dhanjani does not provide any details about, allows attackers to steal local files; Apple plans to patch this hole in a future update. But according to Dhanjani's blog entry, Apple does not believe the other flaws pose security risks.
Dhanjani claims that a web server which supplies files automatically using a CGI script can set the content type to a value that Safari does not understand. In such cases, other browsers such as Internet Explorer and Firefox ask users whether they want to save the file. But Safari merely saves them in the standard directory for downloads: on Mac OS X, the download folder, or on Windows, the desktop.
Attackers could exploit Safari's behaviour to fill up or store malicious code on the user's desktop. Attackers could then use social engineering tricks to trick users into opening the file. Files could even be automatically executed in combination with other vulnerabilities. Dhanjani says that Apple is thinking about adding a prompt.
The third flaw that Dhanjani discovered concerns client-side scripting in local HTML files. Again other browsers issue a warning here, as one would expect from a modern browser. Dhanjani points out while users are aware that executing an
.exe file poses a risk, not everyone realises that an HTML file also executes code. Dhanjnai doesn't call this a security vulnerability, but rather a "feature set request".
- Safari Carpet Bomb, Nitesh Dhanjani's blog entry