MacDailyNews - Where Mac news comes first

MDN:
- what is a carpet bomb?
- how is it invoked?
- how is one detected and stopped?
- how are false-positives avoided (whereby a user downloads lots of files, but it's mistaken for a carpet bomb)?

Software engineering is not a trivial thing. There's lots of factors to consider and lots of testing to be done.

Furthermore, why trust the September release as fact? Where's the proof?

May 20, 08 - 04:29 pm Comment from: JAYGEE

Safari has always seemed to be a pain in the neck for Apple, but web browsers are usually pain asses, but it's better than IE for Mac was.

May 20, 08 - 04:43 pm Comment from: HMCIV

I read the blog post. As a mac user, I don't get the danger. You have to make a pretty conscious effort to install something from the web.

And carpet bombing is a WWII era tactic. What's the correlation between that and downloading lots of files because you're insane about clicking?

I'm cunfoosed.

I disagree. Safari for me (at least) has been stabile and a very reliable browser. It is my first choice on my Mac and on my work Windoze machine, followed by Firefox.

If Safari was a "pain in the neck" why would Apple offer a version for Windoze? It certainly doesn't need too.

May 20, 08 - 04:50 pm Comment from: Cubert

My take on this is that because of the requirement for an admin password, nothing could be installed on your Mac. BUT, we all know Winblows lets anything and everything in like a Jersey girl on a Saturday night. So they are screwed. Pun intended.

The issue described doesn't require that the user do anything but click a link - the download will start automatically. If the user doesn't notice the Downloads window at the time, they may click again and get yet another copy of the file.

I don't think this constitutes a huge security risk, but it's certainly an unexpected and possibly worrying (to the user) behavior.

Who hasn't run into the issue where you click a link expecting it to open in Safari, and nothing happens? Then you check Downloads and... hey, what's this file doing here? If the user doesn't connect this to the earlier click, they may worry about where the file came from.

Carpet Bomb, aka Quief.

May 20, 08 - 05:04 pm Comment from: Ampar

I had a dog that planted carpet bombs.

May 20, 08 - 05:24 pm Comment from: Mr. Peabody

And while we're on Safari security: What's all the hoopla about Safari not being "qualified" for secure online business? I.E., PayPal and others. Is this another ruse by MS partners or is it for real? The double talk by all concerned leaves the end user, i.e. me, completely in the dark. Some postings here a couple of weeks ago claimed that Safari, along with Opera, was in the top three most compliant with regard to what is labeled, web standards. This seems like a major contradiction to me.

If there are general holes in Safari that legitimately inhibit security, especially with regard to ecommerce using browsers, then I think Apple needs to get these fixed now, and needs to let Safari users know that they are working on this stuff now, not sometime this summer. More and more lately many things that I want to do, like work on my website, some ecommerce (buying and selling), are not allowing me to work unless I download Firefox. I don't want to download Firefox, and I don't want two or three or four web browsers installed and crawling around in the inner workings of my computer either. I just want to use Safari - period. If this is not doable then I will make a carte blanche switch to Firefox and quit using Safari altogther.

@Ampar

Unlike you, I had a carpenter dog....did odd jobs around the house.

May 20, 08 - 06:00 pm Comment from: GizmoDan

I use Safari and love it.

However today I detected something that may help my MacBook toting friends. Whenever the fan runs like crazy on your MacBook, if you don't need Safari, turn it off, and see how fast your computer cools down. Very fast. The ability to keep multiple websites on multiple tabs "active" at once, even in the background, seems to use a lot of CPU resources. Depends on the websites I suppose.

Try it and see if your MacBook cools down!

May 20, 08 - 06:46 pm Comment from: Jimbo von Winskinheimer

In response to the MDN take, I think that any software developer must look at a bug and determine if it is a "fix now" bug, i.e. emergency, or if it can wait. It's not just as simple as plugging in a fix and shipping it out. This one was not deemed an emergency, so it can wait a few months.

May 20, 08 - 06:50 pm Comment from: Mr. Reeee

Rampant Carpet Munching might be perceived the bigger threat.

May 20, 08 - 06:55 pm Comment from: Ampar

"I had a carpenter dog"

I hope you didn't name her Karen.

The headline should read:

StopBadware.org coalition calls on....

Microsoft to stop making software sooner than later.

Why subject the world to software that "constitutes a serious security risk" at all?

May 20, 08 - 08:25 pm Comment from: eMax

So...When was September considered the SUMMER?

May 20, 08 - 08:29 pm Comment from: Road Warrior

Wow if StopBadware.org considers links this Safari glitch to carpet bombing I wonder what they must think of Vista....total nuclear arsenal just doesn't quite make it...how about Death Star in range?

May 20, 08 - 08:41 pm Comment from: 6-Ctrl-P

@GizmoDan,
My guess would be that one of the tabs/pages has a Flash program running; usually it will be an ad. I have a site that I go to in order to play a game. The the game is written in Flash and the fan in my MacBook runs like mad, even when the game is doing nothing.

RDM

Ampar...Why do birds, suddenly appear, everytime, you are near?

@eMax....two thirds of september is summer.

I thought that one needed a password to get anything to run on a Mac? Is it really possible for a program to get to the core of the machine, when the OS doesn't allow it because of permissions?

Rick.

"In response to the MDN take, I think that any software developer must look at a bug and determine if it is a "fix now" bug, i.e. emergency, or if it can wait. It's not just as simple as plugging in a fix and shipping it out. This one was not deemed an emergency, so it can wait a few months."

That's the attitude that lead to the MBA being hacked in 2 minutes at CanSecWes.

@RickW

"Is it really possible for a program to get to the core of the machine, when the OS doesn't allow it because of permissions?"

Yes, that's why they call it a security hole rather than the user just being stupid

@Buster: copious seed? MW: came.

I'm surprised the MDN take wasn't "great decision Apple."

Man - you are walking on the edge... you risk takers.

Is this something that actually needs to be fixed or something that needs to be revised to prevent abuse?

Is this the same fault that allows pop-unders onto my desktop?

Why are you guys apologizing for Apple? And stop pointing at M$ security holes, that's just lame. "Oh yeah we have a security problem but they have more so that's okay then".

Fix this fast Apple. These kinds of issues does the concept of OS X being more secure than other OSes no good.

I knew a carpet muncher

Apple, why wait until September to fix what can be fixed today?

Because they need to factor in some bloat in order to cause premature hardware upgrades.

This "exploit" provides the perfect opportunity.

Microsoft tactic. Still love Apple despite it's flaws.

Dhanjani originally discovered than it is possible for a booby-trapped Web site to litter the user’s Desktop (Windows) or Downloads directory (~/Downloads/ in OSX) with executables masquerading as legitimate icons," Naraine reports.

<b>Actually, this exploit has been around for considerable time!</i>

And Apple has utterly refused to fix it totally, just doing a partial fix for well over a year now.

That's why Terminal should be in a Admin locked System folder, Safari "open safe files" should be off and other measures I've completely forgotten taken.

Bad Apple.

May 21, 08 - 01:13 pm Comment from: LordRobin

If you clicked on one of the icons, wouldn't OSX warn you that this is a downloaded program and require you to give permission to run it the first time?

------RM

May 21, 08 - 02:03 pm Comment from: NCIceman

So I'm not alone in thinking that calling sending a bunch of little files to your downloads directory "carpet bombing" is a poor use of the term?

"The issue described doesn't require that the user do anything but click a link - the download will start automatically."

How on earth would the browser distinguish this from normal, intentional download behavior, where the user typically clicks a link and gasp! - a download starts automatically?

The only way to do this would be to have an annoying dialog box pop up every time you tried to download something that says "Did you really mean to download something?" (IE does something similar to this with its information bar, so I guess it's not unprecedented, but then again do we want IE to be setting UI precedent?)

This seems unnecessary to me, given that Mac OS X itself will prompt if you attempt to open a downloaded file that contains executable code "Warning: This is an application that was downloaded from the Internet. Are you sure you want to open it?" I suppose though that a user with a bunch of downloaded files might not take the time to double-check what they clicked before choosing "Yes"

May 22, 08 - 11:15 pm Comment from: Mac Daddy

"Still love Apple despite it's flaws."

This reads: "Still love Apple despite it is flaws."

Here is (here's) an opportunity for me to do my good deed for the day.

"It's" means "It is," in the same manner that "that's" means "that is" and "we've" means "we have." The apostrophe stands in for the missing letters. These are called contractions.

The *only* time you use an apostrophe with "it's" is when you mean "it is" or "it has." If you don't mean "it is" or "it has" then do not use the apostrophe - write "its."

For example: "It's a turd; it's a pain, it's Vista!" (it is)

"iPhone: It's revolutionized smart phones." (it has)

"Vista is so slow it can't get out of its own way." (no apostrophe)

"I still love Apple despite its flaws." (no apostrophe)

There! I have done my deed for the day. By following this simple guide, you will become rich! Or you may make more money, at least... prospective employers look at this kind of stuff. I make more money than I should, not because I am smarter, but because I can fake it by writing well

Cheerio.