Apple Safari carpet-bombing is a vulnerability that allows remote attacker via malicious website to silently download arbitrary files in users’ default download directory (~/Download).
This issue became serious in Windows because the default download is in users’ Desktop. Attackers can craft any file to look like a link file (.LNK) and or image file (.JPEG) to entice users into clicking it. Apple immediately address this issue in Safari for Windows 3.1.2.
However, Safari Mac OS X users remain exposed to this vulnerability. In May 2008, Nitesh Dhanjani disclosed details about this flaw and a year later, while I was writing my paper for VB2009, I revisited this issue and found that it is still unpatched. I have contacted him and verified whether my findings is true, and unfortunately he answered “yes”.
Ok, two years later, again I am writing and reviewing same old tricks, and found that Nitesh Dhanjani recently revisited this issue in his blog post titled “2 Years Later: Droppin’ Malware on Your OSX, Carpet Bomb Style (and Then Some!)“.
I smiled when I saw the screenshot and bonus notes, it reminds me how tricky it can get when it’s combined with other known tricks/exploits – makes it easier to get users’ click.
What is this monkey doing in my download? Opss, carpet-bomb! That monkey is a trick, it’s not an image file.
Release Date : 2010-05-07
Criticality level : Highly critical
Impact : Remote code execution
Solution Status : Unpatched
A vulnerability has been discovered in Apple Safari, which can be exploited by malicious people to compromise a user’s system.
The vulnerability is caused due to an error in the handling of parent windows and can result in a function call using an invalid pointer. This can be exploited to execute arbitrary code when a user e.g. visits a specially crafted web page and closes opened pop-up windows.
The vulnerability is confirmed in Safari version 4.0.5 for Windows. Other versions may also be affected.
Do not visit untrusted web sites or follow links from untrusted sources.
PROVIDED AND/OR DISCOVERED BY:
Krystian Kloskowski (h07)