14 DAY TRIAL // A recent report claims that Apple's security team has "dismissed" a research saying its standard web browser still has faults that may allow hackers to mess up your Mac, or PC. That's right, PC, because Apple's Safari is available on Windows too and folks "updating" their software a while ago were in a position of finding themselves downloading malicious content, without being asked for permission by Safari. A total of three faults have been acknowledged by researchers, but Apple will be fixing only one.
"Malware downloaded to the user's desktop without the user's consent" is the primary issue researcher Nitesh Dhanjani has encountered with Apple's standard web browser on Mac OS X Leopard. According to the research, it is actually quite simple to use the browser to deploy malware on one's machine.
According to the researcher, Safari doesn't bother to ask users for permission when downloading content from websites. Since Safari does not know how to render the content-type of a certain address, it will automatically start downloading the "carpet bomb" every time it is served. Dhanjan says this is what will happen if you are using Safari in Windows (click the image above to enlarge).
According to The Register, "when informed of this 'carpet bombing' vulnerability (as researcher Billy (BK) Rios has dubbed it), Apple agreed that it might be good if Safari actually checked with the user before downloading potentially vicious files, but signaled that kind of addition wasn't much of a priority."
An insider from Apple's security team told Dhanjani the following: "Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. We want to set your expectations that this could take quite a while, if it ever gets incorporated."
Apple let Dhanjan know that they would fix one of the issues he reported, but asked him not to discuss the vulnerability until they roll out the fix, due to the risky nature of the bug affecting Safari on both OS X and Windows.
Secunia rates the vulnerability as "less critical."
