Archive for May, 2010

Safari users still vulnerable to “carpet-bombing” attack

Apple Safari carpet-bombing is a vulnerability that allows remote attacker via malicious website to silently download arbitrary files in users’ default download directory (~/Download).

This issue became serious in Windows because the default download is in users’ Desktop. Attackers can craft any file to look like a link file (.LNK) and or image file (.JPEG) to entice users into clicking it. Apple immediately address this issue in Safari for Windows 3.1.2.

However, Safari Mac OS X  users remain exposed to this vulnerability. In May 2008, Nitesh Dhanjani disclosed details about this flaw and a year later, while I was writing my paper for VB2009, I revisited this issue and found that it is still unpatched. I have contacted him and verified whether my findings is true, and unfortunately he answered “yes”.

Ok, two years later, again I am writing  and reviewing same old tricks, and found that Nitesh Dhanjani recently revisited this issue in his blog post titled “2 Years Later: Droppin’ Malware on Your OSX, Carpet Bomb Style (and Then Some!)“.

I smiled when I saw the screenshot and bonus notes, it reminds me how tricky it can get when it’s combined with other known tricks/exploits – makes it easier to get users’ click.


What is this monkey doing in my download?  Opss, carpet-bomb! That monkey is a trick, it’s not an image file.

Recommended reading:

0day: Apple Safari “parent.close()”

Release Date : 2010-05-07
Criticality level : Highly critical
Impact : Remote code execution
Solution Status : Unpatched

A vulnerability has been discovered in Apple Safari, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an error in the handling of parent windows and can result in a function call using an invalid pointer. This can be exploited to execute arbitrary code when a user e.g. visits a specially crafted web page and closes opened pop-up windows.

The vulnerability is confirmed in Safari version 4.0.5 for Windows. Other versions may also be affected.

Do not visit untrusted web sites or follow links from untrusted sources.

Krystian Kloskowski (h07)

Original Advisory:

Advisory Reference: