carpetbomb
Latest
Firefox 3.0.1 fixes blended-threat vulnerability
Mozilla has updated Firefox to 3.0.1 (and 2.0.0.16 for those still using Firefox 2): both updates containing critical security and stability updates. You might remember the "carpet-bombing" vulnerability discovered last month that affected Internet Explorer and Safari for Windows: Turns out Firefox was vulnerable, too. Security researcher Billy Rios found the problem, but disclosed it only to Mozilla. (Mac users remain unaffected.) Mozilla found that Firefox could litter the desktop with files, and potentially contribute to the unwanted execution of malware using the same carpet-bombing technique. Apple patched the Safari-end of the vulnerability with Safari 3.1.2. [Via Macworld.]
Safari 'carpet bombing' attack code in the wild
The Safari "carpet bombing" blended-threat vulnerability discovered in May could be more dangerous for Windows users with exploit code available online. Mac users are not affected by the threat. The exploit takes advantage of the fact that the Desktop is Safari's default download location. Pair that with a flaw in Internet Explorer that allows files of a particular name to be automatically run, and you have a situation where Safari downloads a file and IE runs it. InfoWorld notes that the source code and demo were posted on Sunday. Apple, so far, has not commented on the InfoWorld story, and has no plans to alter Safari. Since downloading to the Desktop is Safari's only involvement in the threat, there doesn't appear to be any problem to correct. Microsoft's problem, on the other hand, has to do with automatically running files that just happened to be named something IE cares about, which Microsoft has known about since 2006. Microsoft has not commented on the story either, but their suggestion is still to avoid using Safari for Windows.
Double trouble for Windows Safari users
Windows users might have more of a headache when it comes to the Safari "carpet bombing" bug. Macworld reports that combined with a bug in Internet Explorer, attackers can run malicious applications on a victim's computer (obviously without their consent) using Safari for Windows. Aviv Raff, according to Macworld, reported the IE bug over a year ago, and warned of its consequences when paired with a carpet-bombing-like scenario. He recommends to stop using Safari for the time being. Microsoft issued a security advisory in response to the "new public reports of a blended threat" combining the two problems. Microsoft suggests in the advisory that changing the default folder that Safari uses for downloads will protect users from these attacks. True, it all starts when the user follows a link, so (as always) be careful what you click on.
