Latest in Carpetbomb

Image credit:

Safari 'carpet bombing' attack code in the wild

Robert Palmer
06.11.08
Share
Tweet
Share
Save

Sponsored Links

The Safari "carpet bombing" blended-threat vulnerability discovered in May could be more dangerous for Windows users with exploit code available online.

Mac users are not affected by the threat.

The exploit takes advantage of the fact that the Desktop is Safari's default download location. Pair that with a flaw in Internet Explorer that allows files of a particular name to be automatically run, and you have a situation where Safari downloads a file and IE runs it.

InfoWorld notes that the source code and demo were posted on Sunday. Apple, so far, has not commented on the InfoWorld story, and has no plans to alter Safari. Since downloading to the Desktop is Safari's only involvement in the threat, there doesn't appear to be any problem to correct.

Microsoft's problem, on the other hand, has to do with automatically running files that just happened to be named something IE cares about, which Microsoft has known about since 2006. Microsoft has not commented on the story either, but their suggestion is still to avoid using Safari for Windows.

In this article: carpetbomb, ie7, safari
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Share
Tweet
Share
Save

Popular on Engadget

Behringer clones more well-known synths from Moog and Roland

Behringer clones more well-known synths from Moog and Roland

View
Instagram removes the IGTV button you weren't using

Instagram removes the IGTV button you weren't using

View
Lexus imagines space vehicles for humans on the Moon

Lexus imagines space vehicles for humans on the Moon

View
Boeing finds another software flaw that might delay 737 Max's return

Boeing finds another software flaw that might delay 737 Max's return

View
Law enforcement is using a facial recognition app with huge privacy issues

Law enforcement is using a facial recognition app with huge privacy issues

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr