digg

Join DiggAbout

Discover the best of the web!
Learn more about Digg by taking the tour.

Apple OK with Safari's "Carpet Bombing" Vulnerability

theregister.co.uk — Next time you get nagged to install Apple's Safari browser keep this in mind: The company's security team has dismissed research that shows a simple way for miscreants to use the browser to litter an end user's machine with malicious files.

Bury
show profanity settings
expand all
  • jim51109, on 05/16/2008, -56/+28Apple sucks. Anyone that uses them is a fool. I have been in IT over 10 years and they serve no purpose
    • carlnewton, on 05/16/2008, -6/+33"I have been in IT over 10 years" - Oh thanks for that. I was just about to disregard your opinion as rubbish, but since you've declared yourself an expert I've decided to reconsider.
    • ScionX, on 05/16/2008, -5/+13I myself don't use apples but they are awesome from a helpdesk pov. If something doesnt work, reboot. It fixes the issue a very large majority of the time.
      • Spuy767, on 05/16/2008, -3/+5It is kind of nice for that trick to actually work. I've trained my grandparents to reboot their iMac if they get into something they don't understand, and i get a lot less help calls now.
      • protogenxl, on 05/16/2008, -1/+5But once they start using Quark you might as well just move your desk into marketing.
        • redxxx, on 05/16/2008, -0/+1Seriously. Quark is such a pile of crap. If you have any influence at all, get them to opt for indesign. Hell they already use Adobe products for all the rest of their design work, just do adobe end-to-end.

          I don't mean to shill for Adobe, but Quark is just so damn terrible.
        • Cheysuli, on 05/16/2008, -0/+1I agree. Quark has given me more headaches than anything else i've yet encountered.
    • cr4wl3r, on 05/16/2008, -14/+9Sorry, but setting up computers for offices and networks is not hard. Real men are programmers, and for the record, anyone that has actually ever tried coding in the OS X environment realizes how powerful Macintoshes are. Cocoa is simply one of the best API's to work with.
      • rdsmith1, on 05/16/2008, -1/+0You have to realize, this is Digg. Knowledge and experience aren't required in order to pretend that you have either, or both.
    • jet2112, on 05/16/2008, -6/+8you sir, are an idiot...

      no purpose? Then tell me why they are popular in the design field?
      • redxxx, on 05/16/2008, -1/+3Inertia, attractive styling, and spotlight. Once upon a time popular products(mainly photoshop) ran significantly better on PPC Macs because it was optimized for them. The windows versions were a poor port.

        Adobe stopped that when Apple moved to Intel for most of their chips. Most benchmarks show a slightly poorer performance in OSX on x86, and a slightly bigger decrease in OSX on PPC(compared with windows XP).

        It is what they are used to, because it was significantly better. Now, mainly it is just different.

        It's a lot easier tracking down files in OSX than windows(without adding extra software). This really does make folks a bit more productive, but mainly the people who it helps do not use Windows efficiently(not a condemnation, it took me a while to get used to OSX).

        Graphics folks like pretty, Macs have a lot of pretty out of the box. It's not nearly as big an issue as some make it, but it is definitely a factor.
    • MrViklund, on 05/16/2008, -2/+2Yet another confused Apple-hater.
    • jabberwolf, on 05/17/2008, -2/+2Actually I've been in it for about 15 years and only mactards defend the mac.
      The mac was made to be easy as possible to do simple things.
      And it's great at it.

      But it serves almost no purpose but their own interest, they piss off vendors (both hardware and software), they illegally lock down the OS to their hardware, and their networking collaboration is a joke (worse then novell or lotus hard to believe but true!)

      As for design? Almost everything for MAC is on the PC and runs with the 64-bit versions of MS.
      Notice how recent large vendors for Apple dont support MAC with 64 bit versions of their software for OSX - (Autodesk and Photoshop recently).

      So Apple Hater? - no such thing! These are just people annoyed with Appletards that dont know *****, still live with their parents, blog all dam day, and contribute nothing!
      Sorry but when setting up rendering farms for the REAL designers and REAL workforce for the world, they ain't using APPLE, their using MS 64 and Linux boxes. The do have some Macs for the newbie tards that were only taught on Macs at schools - (only because Apple subsidizes schools to create an artificial market). But when they want to get serious, they leave the Mac behind!

      Them's the real Apples ;)

  • leontes, on 05/16/2008, -31/+16If it does become a problem: i.e. it's exploited and becomes more than just a theoretical, than there would be a response.
    • slantyeyed, on 05/16/2008, -6/+12or knowing apple and its fanboys, maybe it's a cover up?
      • KibibyteBrain, on 05/16/2008, -2/+3If they just wanted to cover it up, why would they publish the fact that they even considered it.
    • diggymow, on 05/16/2008, -2/+18It should be fixed before it gets exploited. That's like saying if you could cure aids before no one got it you wouldn't bother because it wasn't a problem yet.
      • KibibyteBrain, on 05/16/2008, -3/+2Well, in this case it could be since I don't see why patching this up could cause any problems(but then again, I'm not a Safari dev), but your analogy is flawed by extreme case. Sometimes in software engineering its best to let things go if the solution seems worse than the problem. For example, if one could cure the cold, but the vaccine lowered the patient's IQ by 5 points, it might be better to let it slide. Perhaps even for AIDS, but most people would probably not mind the 5 point drop to prevent a disease like cancer or heart disease.
        There are many security "flaws" in every computer there is limited to practical concerns. A great example is the DDoS. It would be possible to make servers and computer networks far more resistant to it, but they would be less user friendly and lower performing for the cost. Using fully buffered memory could prevent some percentage of crashes desktop users encounter, but most would rather have the speed of unbuffered RAM.
      • Tomchei, on 05/16/2008, -0/+2Isn't that how it works anyway?

        I'm sure that there are many future diseases that there aren't cures for that we can't cure until it becomes a problem.
    • mentor972, on 05/16/2008, -2/+6Oh, so like Microsoft's system of patches, right?
      • Hortnon, on 05/16/2008, -0/+2When was the last major MS security flaw that was exploited before it was patched?
  • topace3000, on 05/16/2008, -14/+55Yeah I'm sure apple just dismisses obvious problems with their products offhandedly.
    • Spuy767, on 05/16/2008, -15/+8Meh, you can't take any Apple news that comes from the Reg seriously. El Reg used to be my favorite tech news site, but a few years back they developed some agenda, which I have yet to put my finger on, and I haven't gone to them sense.
      • gclef, on 05/16/2008, -0/+5They've always had an agenda...that agenda is to make fun of everything, with the occasional troll thrown in for fun. You can't really take *anything* from the Reg seriously.

        On the other hand, since they don't give a damn about offending people, they'll sometimes come closer to the truth than the regular news outlets.
    • chillypacman, on 05/16/2008, -8/+11they realized they were sucking up too much to the mac fanboy crowd?
    • FutureGuy, on 05/16/2008, -5/+8I for one buried it as soon as I realized it was anti apple, its instinct or the mind control device they shipped with the last iTunes update.
    • bkemper, on 05/16/2008, -19/+5It's a silly article by an anti-Mac bigot. Oooo, "malicious iframes and other scripts"! Pages that render and act the way their told to! Run for your lives!

      "...the vulnerability allows miscreants to dump hundreds of malicious files into a user's default download location (in Windows it's the desktop and in OS X it's the download folder)".

      Number one: It is very easy to change the download location, even in Windows. I think the desktop is a stupid place to download files to, personally. But many Windows users aren't too bright, so they probably wouldn't find them otherwise.

      Number two: If you go to a site and it starts downloading files, the first thing you see is the downloads window. If you see that the site has started downloading large number of files to your desktop without your permission, then leave the site, select all the files in the download window, right click on them and select "show on desktop" or whatever it is in Windows, then go to the desktop an hit delete.

      What a stupid thing to get up in arms about. As usual, just a tempest in a teapot by people that think really stupid people need to be saved from alternate browsers that don't look and act exactly like that piece of garbage, IE. People that stupid would not use it because they don't know what a browser is.
      • jrbrewin, on 05/16/2008, -6/+5if this were IE, you'd be up in arms. as such i've dugg you down for blatant fanboyism.
      • Hortnon, on 05/16/2008, -7/+21) Many OS X users aren't bright either. Same with Ubuntu, too. Statements like that are why there's a stereotype around Mac users being arrogant assholes.

        2) "This exploit isn't something that's worth fixing because you can just delete the files!"

        3) See 1)
      • worminater, on 05/16/2008, -5/+5logged in to dig you down.
      • rakslice, on 05/16/2008, -0/+7>Number one: It is very easy to change the download location, even in Windows. I think the desktop is a stupid place to download files to, personally. But many Windows users aren't too bright, so they probably wouldn't find them otherwise.

        Er... The desktop was the traditional default download location for Mac browsers. Defaulting to a download folder is a relatively recent change.
      • rossisdead, on 05/16/2008, -1/+1Hey did you read the part of the article wrote about similar security flaws in IE7 and 8? No I guess not
  • foxhaze, on 05/16/2008, -20/+6And that is why Firefox is epic rape.
    • 007isbond1, on 05/16/2008, -2/+7epic win... was the phrase you were looking for there =D
      • TheSpook, on 05/16/2008, -1/+2I suppose it depends if you're on the receiving end or not.
  • shaffah, on 05/16/2008, -22/+42they really dont care
    • doshindude, on 05/16/2008, -11/+15it's steve jobs, what do you expect? he doesn't give a ***** about. He just wants his monies from his ipod touch customers who mindlessly follow him.
      • SSUK, on 05/16/2008, -2/+4Although I agree with you, I doubt his Lord and Master, Steve Jobs has much to do with fixing vulnerabilities in Safari.
    • 4ndr3wk, on 05/16/2008, -6/+6Thats the thing i hate about apple, they have this aura about them where everything they have made is perfect and theyre never wrong.
      • rdsmith1, on 05/16/2008, -1/+3Says who? You'll have that with any group of fanboys, but too many people assume that all mac users think that everything that apple does is perfect and that they're never wrong. That couldn't be farther from the truth.

        Just look at Leopard's initial release. A lot of people hated the translucent menu bar and the fact that you could no longer view docked folders in list view. They stirred up a huge ****storm about it, and what did apple eventually do? They gave the option to make the menu bar opaque, and gave back the option to view docked folders in list view. Apple gets plenty of flack from their customer base of plenty of things, but it's usually fanboy zealotry that drowns that kind of stuff out.
  • mprice177, on 05/16/2008, -42/+38With all these Apple fans who will pay Hundreds of dollars for somthing that looks pretty..even if there are known issues, why should apple really care.
    • speedyrev, on 05/16/2008, -10/+4Because the threat is greater in windows.
    • chillypacman, on 05/16/2008, -6/+4read: not actually in Windows.
    • iampriteshdesai, on 05/16/2008, -12/+14Windows has greater threat simply because it is the most dominant os. If Apple gets that much share (it wont) then evry minute new viruses would drop by. Macs are secure is a myth. Recently in an competetion between Mac Vista and Ubuntu. And guess what your favourite mac got hacked first. But you dont care do you as long as Apple keeps throwing good looking , stupid, high priced things at you . Firefox rules safari is a crap.
    • iampriteshdesai, on 05/16/2008, -16/+5Windows has greater threat simply because it is the most dominant os. If Apple gets that much share (it wont) then evry minute new viruses would drop by. Macs are secure is a myth. Recently in an competetion between Mac Vista and Ubuntu. And guess what your favourite mac got hacked first. But you dont care do you as long as Apple keeps throwing good looking , stupid, high priced things at you . Firefox rules safari is a crap.
  • scoobycarolan, on 05/16/2008, -35/+16Everytime I download anything in LEOPARD I'm politely asked if I'm sure I'd like to run it because it was downloaded off the internet. Maybe if WINDOWS got wise it could politely ask similar questions. Too bad everyone's running around with Vista trying to get their printers to work like is frigging 1992! Asshats.
    • sensor, on 05/16/2008, -10/+24Name one modern printer that is not working on windows.
      • ibeetle, on 05/16/2008, -10/+6Do a Google search. Message boards are filled with post that every single printer manufacture has at least one model and/or series with problems that range from missing features to flat-out will not operate under Vista.
        • Hortnon, on 05/16/2008, -1/+4So, you can't name a modern printer, than?

          If there aren't drivers for a printer, is it MS's fault? No, it's the greedy companies that want to force people to buy new printers by not allowing older products to work with new OS's. It's exactly what nVidia did to 3dfx users.
    • nobelief, on 05/16/2008, -6/+8keep spreading the FUD
    • VinceA, on 05/16/2008, -7/+10It does in Vista.... BTW, my printer (older DeskJet) works fine also. Of course, Vista does have its issues as do all OSes. Enough partisan squabbling.
    • legendxx, on 05/16/2008, -10/+2You download something in leopard? I'm pretty sure you downloading something in safari, FF, opera, or some other browser and IT asks if you really want to run it.
      • starbird, on 05/16/2008, -0/+7legendxx, I believe it is the os, because, as an example, if I download handbrake today, but don't run it until tomorrow, and no browser is open, it still asks, and says "This file was downloaded from the internet on date and time"
      • SteveMax, on 05/16/2008, -0/+6Actually, in Leopard the browsers save (or at least are supposed to save) a file's original URL in its metadata. When you first run something that has a "downloaded from" item in its metadata, Leopard shows a warning.
      • weir, on 05/16/2008, -0/+4Actually he's right. If you download a .app (assuming with your browser, torrent, ftp etc) when you first run it the OS asks you if you're OK with it running and lets you visit it's source to ensure it's safe, the browser itself does not ask you. Mind you Vista & XP do the same for exe's, so I'm not really sure what his argument is there.
      • legendxx, on 05/16/2008, -0/+3I stand corrected. Thanks to those above.
    • 007isbond1, on 05/16/2008, -2/+4me = microsoft fan boy
      me = vista hater.

      confused yet.

      what im trying to say is that i love most microsoft products like XP, xbox 360, ms office [although im turning to openoffice.org more and more].

      but i had vista for 6 months then i threw my laptop at a wall becuase it kept nagging me about security.
      • ethamajin, on 05/16/2008, -2/+7did you know you can disable UAC? ...
      • Rassa, on 05/16/2008, -1/+5If you throw a laptop because of UAC nagging you, you have some other issues you should really get checked out.
        • 007isbond1, on 05/23/2008, -0/+0disabling truely defeats the purpose of it being there in the first place
    • briLo, on 05/16/2008, -6/+1Scooby - You're an ignorant ***** and I hate ignorant *****!
      • MacParrot, on 05/16/2008, -0/+2Right because calling someone an ignorant ***** just ends the argument right there!
        • briLo, on 05/16/2008, -0/+2No it does not end the argument, for I have no argument. I'm simply stating a fact.

          While she concentrated on indicating when she does something in LEOPARD it does this, and maybe WINDOWS should do this, she's articulating on something she's profoundly incorrect on. Thus indicating she is an ignorant *****.

          Perhaps she's flaming about people running around trying to install printers like it like frigging 1992, but we in the real world know that it's a simple driver update if there is any compatability issue. Once again, proving she is an ignorant *****.

          Lastly, her statements indicate anyone using Windows/Vista is an asshat. Do I really need to say it again......oh ok, she's an ignorant *****!
    • netdroid9, on 05/16/2008, -2/+9Actually, Windows does this too, and has done since XP SP2.
    • WarezAppz, on 05/16/2008, -4/+6I am not sure what planet you are from, or what F'd up installation of XP OR Vista you were using, but if you are using either (Completely up-to-date) anytime you have an executable (*.exe) that you try to run from the internet (RUN, not save to) you are promptedat least once if Not TWICE to confirm you want to run it.



      Put the crack pipe down and back away slowly . . . . .
      • specialK16, on 05/16/2008, -0/+1People on crack make more sense than scooby. Its fanboyism at its worst.
  • Avaseal, on 05/16/2008, -11/+3"OK Computer"
  • RedRobinRed, on 05/16/2008, -15/+6Ok, so -- I KNOW this is Anathema to many people -- and I have a personal, documented case where my Applie iMac was literally TORN TO SHREDS by a hacker -- admittedly, I was going to some sites I didn't really trust all that much and shouldn't have clicked a few things, and the infection grew so much that it was ridiculous. We took it to the Apple store SIX TIMES. They refused the entire time to say the words "Virus" or "Hacker" and I was showing them a Linux readout from Virus protection software that stated the thing was infected, they claimed impossibility (its LINUX, why do you say its impossible?) and they quietly replaced our hard drive, without telling us they were going to do so, and we lost all of our iTunes music. When I called the Apple iTunes store they said they couldn't let me re-download my music because they'll only do that once for you in your LIFETIME and I'd already used up my ticket. Maybe they're within their rights to do all that, I never really looked -- 3g's down the drain. Threw it out.
    • Spuy767, on 05/16/2008, -7/+3That's what you get for buying Chinese knock-offs.
    • Tufriast, on 05/16/2008, -2/+4I don't know if I really believe you at all. The whole story sounds fabricated. At three times Apple replaces your whole machine. So, that fact included, I do not think you are telling the truth.
    • moisie, on 05/16/2008, -2/+5Which virus did it have?
    • Enron, on 05/16/2008, -2/+6Your iMac was literally torn to shreds by a hacker? What kind of cutting tool was he using?
    • BOFH2, on 05/16/2008, -1/+1Amazing and they say Christians shoot their wounded. Fanboys do it in public
  • ToadLeg, on 05/16/2008, -3/+57It's not that they don't care about it, it's that they don't want to label it as a security vulnerability so that their statistics show fewer security vulnerabilities vs other browsers.

    FTA: Someone on Apple's security team says: "Please note that we are not treating this as a security issue, but [we are going to fix the problem]"
    • skidooer, on 05/16/2008, -6/+4To be fair, it isn't a security risk. It's an annoyance at best.
      • Hortnon, on 05/16/2008, -2/+3It's not a security risk...yet. Is there a guarantee that someone won't figure out a way to execute downloaded files?
      • Acolyte357, on 05/16/2008, -0/+3How is forcing your computer to download any file I want as much as I want, not a security risk?
    • system7, on 05/16/2008, -0/+1Downloading a single file behind the user's back is a security issue that has been around as long as web browsers have been around. It's a problem that Microsoft and Apple now address at the operating system level, not the browser level.

      "Carpet bombing" a user's download folder/desktop is an annoyance, regardless of whether the browser repeatedly prompts you before downloading each file.
  • jeriqo, on 05/16/2008, -18/+4This story is very unlikely.
    Buried as fud.
  • protogenxl, on 05/16/2008, -10/+4Got Hubris?
  • netneutrality, on 05/16/2008, -6/+6"...dozens of booby-trapped "My Computer" icons..."

    I don't like the sound of this.... a file could be anything and still have a legitimate looking icon! Could they overwrite files already on the desktop too?
    • bkemper, on 05/16/2008, -2/+3No. Nor can they change the position of the ones you have already or set their own position. So if your normal "My Computer" is in the upper left corner, that would not change.

      If you are seriously worried about this, just edit the Safari preferences to save downloads to a folder of your choice, such as a folder on your desktop called "downloads". I would do that anyway, and look at it in detail list view.
  • danjal, on 05/16/2008, -9/+20I think what you need to realise is, Mac Users like myself included are quite vain when it comes to attacks, we don't get them because were not the largest target of attacks.. however.. if we continue to live behind this smugness alone, we are going to get caught with our pants down and have nobody to complain too but ourselves.
    • warragul, on 05/16/2008, -14/+3Yes, but Mac Users (note the capital U) like yourself don't actually use or own Macs, do they? Otherwise they would know the real reason Mac owners don't have 40,000 and counting viruses despite OSX being around for over 7 years.
      Begone, troll.
      • danjal, on 05/16/2008, -2/+4Listen buddy.. I have a iMac G5 Edition, Mac Mini, and i still have my old PowerBook 150.. but thanks, because you just became my prime example of what i was talking about.
  • ikenefick, on 05/16/2008, -13/+18Just use Firefox. It's a better browser, security is treated with priority, it's open source and has much more "useful" functionality. I'm not saying Firefox doesn't have issues - but it's a better choice.
    • tonyarnold, on 05/16/2008, -7/+9Sure, if you're on windows. Firefox is slow and ugly on the mac, and it's standards support lags behind Safari in every release.

      So long as I'm aware of what this vulnerability is, I'm willing to take the better features of Safari over Firefox anyday...
      • ajamison, on 05/16/2008, -1/+2Try Firefox 3 beta 5 on your Mac, it's much, much faster than FF2 ever was.
    • bkemper, on 05/16/2008, -1/+3Does the default configuration of FireFox make you confirm every download? If you have to change the defaults to get that behavior, then it is no better. You can change the defaults of Safari too, to download to a different location so that you are not confused by the icons and can easily delete exactly the files you don't want.
      • quantumstatejim, on 05/17/2008, -0/+1The default does make you confirm every download. There is even a small countdown for the confirmation so that the site cannot pop up the box suddenly and have you clicking it accidentally.
    • tedc, on 05/16/2008, -1/+2For a browser where "security is treated with priority", I was a little surprised to learn that in its default configuration, all your passwords are stored in the clear. Setting the master password seems to have fixed that, but now I have to enter that every time I run Firefox. I don't know why they can't just use the user keychain on the Mac like everything else.
    • yingjai, on 05/16/2008, -0/+1With all these people boasting about how FF is much more secure, I have never had any issues with MSIE7. I never had a virus or spyware since my early days of computing. However, I find that after loading several plugins into FF, it becomes slower to start than MSIE7. Who does it benefit?
  • fatas, on 05/16/2008, -9/+8It is on a problem using Safari on a Mac but this is clearly the main reason why you should not use it on MS Windows.
  • iampriteshdesai, on 05/16/2008, -14/+4Safari sucks. Even Netscape 1.0 had more features. Also as I am typing this the part below comments box is vibrating. God promise. Has it happened to you before??
    • potterboy, on 05/16/2008, -0/+3Javascript, tabbed browsing, HTML mouseovers, frames? You're an idiot if you think a 15 year old browser is better than Safari. Safari has problems but seriously?
  • doshindude, on 05/16/2008, -20/+13Just use firefox...Safari is crap.
    • bcamp1973, on 05/16/2008, -1/+3actually safari trounces FireFox on the mac for performance. it doesn't have all the bells and whistles, but FF is a hog on the Mac. Version 3.0 is supposed to fix that, but until then it is NOT the best choice
  • mic915, on 05/16/2008, -7/+1"The Bends"
  • Mier, on 05/16/2008, -13/+4Poor macaphiles. The bloom is off the rose and now it's down to ugly. Can't wait to hear apple scream as their precious os gets torn apart by hackers and viruses.
  • xDibblerx, on 05/16/2008, -14/+8I'm forced to use Safari at work since the IT guys put filters on Internet Explorer and set firefox.exe as a virus so we can't install it. Safari is the biggest piece of crap I've ever used. I sure hope it runs better on a Mac because on a PC it's slow, buggy and just plain awful. Oh and our IT guys suck too because they never heard of Safari so they didn't add it to the banned list along with firefox and opera.
    • ieowqw, on 05/16/2008, -7/+11I am running Safari on my low end vista computer (1ghz) because it runs FASTER and more stable than firefox or IE.

      Care to explain where it is slow and what the bugs are?
    • Neo829, on 05/16/2008, -1/+14Wait. Your company forces you to use Safari because you chose to use it to bypass your employer's filtering?

      Yeah, that makes sense. Alternately, you could just get to work.
    • wrestlingnrj, on 05/16/2008, -3/+6You're "IT" guys either a) completely useless or b) plain stupid, if they haven't even heard of Safari or banned FF and Opera.
      • alex7575, on 05/16/2008, -0/+1Sounds like you work for IT yourself, then you should know that some companies have internal web applications (custom written) using MS .NET. To ensure that the web app runs with unforseen issues many IT departments end up "forcing" their employees to only use IE
      • bkemper, on 05/16/2008, -0/+5"Your", not "You're". You are using it as a possessive (IT guys of you) but spelling it as a contraction of "you are".
    • potterboy, on 05/16/2008, -0/+4What about using something like SeaMonkey or Firefox nightlies that are named differently?
    • grymmjack, on 05/16/2008, -0/+1Try to rename firefox.exe to something else.

      The system could be setup to look at the processes and block the executables it knows via filename rule and not through more sophisticated protection.

      At a place I used to work this trick was all we needed to do to "work-around" the security stupidity. What was particularly annoying was even the web development group I worked in was forced to work under the same draconian nonsense; never mind that we had to test our work in as many browsers as possible.

      Try to rename firefox.exe to ffox.exe. It worked for us. After you do it you will have to modify the shortcuts to point to the new name (including the icon configuration).
    • ajamison, on 05/16/2008, -1/+2Try Opera?
  • daizaru, on 05/16/2008, -15/+9Apple is making Microsoft look good these days. Guess they are giving up on the tech crowd and people who peruse the internet and relying solely on the TV ads and so forth.
  • hermes369, on 05/16/2008, -7/+15I think folks should read the source of the article; I followed the link:

    http://www.dhanjani.com/archives/2008/05/safari_ca ...

    The original author doesn't seem concerned enough to dismiss Apple as being irresponsible or holier-than-thou. It seems the Register is flame baiting.
  • PlanR, on 05/16/2008, -13/+9Safari has become too unstable as of 10.5. It crashes regularly, and often comes up with "cannot decode raw data...please report bugs to Apple...".

    I frankly don't use it anymore.
    • phoomp, on 05/16/2008, -3/+3I frankly don't trust most of Apple's software anymore. iTunes is buggy and Apple is trying to force Safari onto me.

      Apple, if you really want me to use your software, stop looking for ways to get it onto my computer and start looking for ways to convince me to want it.
    • bkemper, on 05/16/2008, -0/+3Sounds like you have an unusual problem. I've never seen that in my Safari on 10.5.
  • Crisender111, on 05/16/2008, -15/+3Apple Sucks
    Safari Sucks
    Apple fanatics....no they dont suck.
    They are just plain stupid. Use Firefox.

    Digg me down !
    • MacParrot, on 05/16/2008, -0/+3Sure thing. There ya go buddy!
    • potterboy, on 05/16/2008, -1/+2FF3 is great, but Safari is still better on OS X.
  • DestroyFascism, on 05/16/2008, -12/+9So its just like IE? Now I know why proprietary software sux!
  • DeFex, on 05/16/2008, -9/+5Apple wants you to install safari on your PC for that very reason. they are hoping (or planning) that you will get malware makes you become pissed off with your PC and give up on it "macs dont have malware"
    • MacParrot, on 05/16/2008, -0/+2Riiiight, so Apple WANTS you to install APPLE software that supposedly will give you malware so you'll then spend money on a product the company makes. There's a flaw there somewhere....
      • DeFex, on 05/16/2008, -1/+1why else would they bother with a FREE browser when there are already several others already available.
    • phoomp, on 05/16/2008, -0/+4That may not be too far from the truth. iTunes for MacOS is written to run much smoother than iTunes for Windows ... I've no doubt that Apple has done this on purpose to make Macs appear faster.
    • P5ycHo, on 05/16/2008, -0/+2Macs do not (yet) have virusses.
      They DO have malware (but you have to install it yourself).
      And they ARE hackable.

      But those are three different things.
  • hempydave, on 05/16/2008, -8/+5Was planning to switch to mac but now....
    Attitude is everything.
  • rdsmith1, on 05/16/2008, -6/+26The ignorance is strong in this thread.

    "Poor macaphiles. The bloom is off the rose and now it's down to ugly. Can't wait to hear apple scream as their precious os gets torn apart by hackers and viruses." Troll much? Seriously, this same kind of thing is said every time there's a potential security threat or even the smallest vulnerability in any Apple application or any part of OS X, and nothing ever happens. Get a grip.

    As for the "Carpet Bombing" vulnerability, it's only potentially a problem with the Windows version of Safari. First of all, .exe files obviously can't execute inside OS X, so that's out. Application files (.app) are NEVER downloaded directly, and as far as I know they can't be. Any image file that could contain a .app file would need to manually opened (unless you click the check-box in Safari that allows downloaded files to be opened automatically), and even then, whatever files are contained in the image can't be automatically executed. Whenever you open any image file that's downloaded through Safari, it tells you what kind of file you're opening, and depending on the type of installer used by the image file, you'll be prompted to enter your admin password before continuing. And on top of all that, any time that you execute a new application for the first time in Leopard, it tells you what browser was used to download it, what site it came from, and gives you the option to allow or cancel. There is no issue on the Mac side.

    Granted, I don't use Safari in Windows that often, so I couldn't tell you exactly whether or not a downloaded executable would be able to just run itself automatically. However, I would imagine not since Safari stops and tells you when an executable is about to be opened. It would be nice to see Apple care a little bit more about whether the Windows versions of their software was as secure as the mac versions, that way you wouldn't have people assuming that just because it's one way in Windows, it must automatically be one way in OS X.

    But hey, this is Digg, where Apple sucks just because, and nobody has to know anything or do any research before acting like they know what they're talking about.
    • rdsmith1, on 05/16/2008, -1/+5To be fair, and I should have put this in my original post, Internet Explorer and Firefox will both prompt you to allow running an executable, as well.

      This likely isn't an issue on the Windows side, anyway. So, like someone said above, this seems more like flaimbait from the Register.
    • johnomaz, on 05/16/2008, -4/+8Did you even read the article? It said nothing about automatically running the file it downloads. The website can tell the browser to download all the files at once. Essentially, it could put 100 files in the download directory. The user has to run it themselves, and considering how stupid the majority of the computer user populus is, it will happen.

      Think of all the wonderful e-mail attachments, that after repeated times being told to never open unusual attachments, people still do. This is worse. The download folder is where everything you purposfully downloaded ends up. If you see a file there, you are probably going to run it thinking you downloaded it for a reason at one point in time.

      "Seriously, this same kind of thing is said every time there's a potential security threat or even the smallest vulnerability in any Apple application or any part of OS X, and nothing ever happens. Get a grip."
      Yes, because having one of the worst filewall programs ever in the release of 10.5 was a small vulnerability, right? You tell it to block all incoming/outgoing ports and what does it do, leave a hand full still open, unprotected.

      I forget the title of the story on Digg, but the story was of a company setting up three machines. A fully updated Vista machine, fully updated MacOS 10.5 machine and a fully updated Ubuntu Linux machine. Anyone was able to give it their shot to hack the machine, and place a file on the machine showing that it had been compromised. The Mac was hacked within 20 minutes. The Vista machine took about a day and a half. The Linux machine was still unhacked after a week. The hacker decided to stop trying though he found a handful of vulverabilities in the Linux machine, but didn't want to waste the time developing programs to exploit them.

      MacOS is far from perfect, same as Windows, same as Linux. Linux has the advantage being open source. Anyone can help to resolve any issue in the code, as Mac and Windows need to be take care of by their respective companies

      And for the record, I use Vista.
      • rdsmith1, on 05/16/2008, -1/+2"Yes, because having one of the worst filewall programs ever in the release of 10.5 was a small vulnerability, right? You tell it to block all incoming/outgoing ports and what does it do, leave a hand full still open, unprotected." I wasn't even referring to that, but ok. Yes, you're right that wasn't a small thing, but they patched it before anything happened, right? THAT was the point that I was essentially trying to make. Every single time ANY sort of vulnerability (and I was emphasizing the small ones) is discovered, someone always says something like "apple's becoming just as bad as microsoft" or "it's just a matter of time before macs are littered with viruses" or "lolz, macs are teh suxors now!!!1one!", and nothing ever happens. It's just a repetitive cycle.

        And as for the mac being hacked, it wasn't just hacked manually from the outside. It required the user to manually navigate to a specific website that exploited a security flaw in Safari (not OS X itself), and ran code allowing the person who created the website to then gain access to the mac. Yes, it was somewhat embarrassing, but apple's not perfect and **** happens. Given how long OS X has been out, and the amount of time that many mac users have been running it with their software firewalls turned off completely, I'd say it has a damn good track record.
        • jabberwolf, on 05/17/2008, -2/+2"And as for the mac being hacked, it wasn't just hacked manually from the outside. It required the user to manually navigate to a specific website that exploited a security flaw in Safari (not OS X itself), and ran code allowing the person who created the website to then gain access to the"=
          It was DONE in 5 minutes and the same rules applied to LINUX AND WINDOWS YA MACTARD!

          "Given how long OS X has been out, and the amount of time that many mac users have been running it with their software firewalls turned off completely, I'd say it has a damn good track record."
          Another mactard comment - why? Go back to school and learn linear growth and exponential growth. Purely by the small amount of OSX users out there, spreading a virus would be slow at best if not actually meet dead ends. Apple's defense is simply scarceness!
          And no, that's not a good system.

          OSX - has had open security flaws for YEARS that they never fixed. Their excuse was it was a security issue, but no one really was worried because no one was making an exploit for it. Why? Because NO ONE CARES ABOUT OSX!



        • rdsmith1, on 05/17/2008, -1/+1I never made any contention about the time that it took, I never said that nothing was exploited, and I never said anything about Linux or Windows, did I? No, I didn't, so your first response is completely pointless.

          How is my comment about how long OS X has been out "another mactard comment"? OS 8 and 9 had malware, including viruses and trojans, and the mac market share was far less then than it is now. Yes, OS X can have malware, and yes it can have viruses and trojans, but all 3 or 4 proofs of concept that have been created in the 7 years that OS X has been around have all required action by the user, as in manually downloading an image file, manually opening said image file, manually opening whatever file(s) it contained, AND inputing the user's admin password for ANYTHING to happen. It's how OS X is built, as well as almost any heavily Unix-based OS. The "security via obscurity" argument is a myth, and what I pointed out about OS 8 and 9 proves that.

          No, OS X is NOT perfect, and you're right -- OS X has had security holes that went unpatched for years. But honestly, nothing EVER happened in the time that they were unpatched, and if OS X is not at all inherently more secure, as you're implying, then why was nothing ever achieved in the wild? If OS X's lack of malware and in-the-wild hacks is explained entirely by lack of market share and nothing else, then how do you explain that even with Apple's ever-increasing market share with every year, the number of real virues, trojans and real-life (as in, not in a closed environment at a hacking convention) attacks is still at 0?

          And no, Apple's defense is NOT scarceness... that's the excuse given by other people, who usually don't like Apple, and it's the very argument that you just used above.
    • skyfex, on 05/16/2008, -0/+3I agree with rdsmith here. The register is making this out to be a lot worse than it is. And I don't think this should be labeled as a security bug. It's a feature that happens to be dangerous on Windows. Of course Apple should have thought of that though, made it an option and disabled it by default on Windows. Or they could give a warning when downloading an executable if they don't already.

      I download a lot of files every day, and I prefer not to confirm every one, as I don't make a habit of visiting malicious websites (it's easy to avoid, at least 99,99% of the time).

      I should mention I use Firefox and Opera on Windows, but I prefer Safari on Mac.
    • saikyan, on 05/16/2008, -0/+2Some Digg users need to feel validated in their opinions and choices. When there are multiple options, camps form and throw rocks at each other... like there can be only one "right" and "wrong" answer. I think for many people commenting here, it's more about validation than sharing experience.
  • esc27, on 05/16/2008, -11/+11Clearly this is a problem with Microsoft's shoddy Windows code as Apple's software is always 100% perfect on the Mac.
    *sarcasm
    • iindigo, on 05/16/2008, -3/+2Actually, that's quite possible. Safari for Mac and Safari for Windows have two entirely different codebases.
      Safari for Mac is written in Objective-C/Cocoa while Safari for Windows is written in C++.


      • johnomaz, on 05/16/2008, -2/+5Except if you read the article, it stated it can happen on both Apple and PC.
    • jabberwolf, on 05/17/2008, -1/+2"Actually, that's quite possible. Safari for Mac and Safari for Windows have two entirely different codebases."

      That only means it was written correctly for Windows and OSX cant seem to find a fix or patch for it because Apple again annoys vendors and is actually lazy when it comes to security.
  • Morac, on 05/16/2008, -10/+7Another reason why Apple shouldn't be automatically installing Safari as a "security update" on Windows.

    http://gizmodo.com/370832/apple-really-wants-windo ...
  • owenkun, on 05/16/2008, -3/+3And then it was all *beep beep beep* and icons showed up on my desktop.

    And they were really *good* icons.
  • johnomaz, on 05/16/2008, -9/+5Apple sure is lucky they have dumb users that, no matter what, will continue to use their products because they are more pleasing to the eye. I doubt Apple users will even care about the mass of files that get downloaded to their computer if they have pretty icons.
    • MrViklund, on 05/16/2008, -0/+2I think Windows has the biggest share of "dumb" users. That's why there will be 1 million viruses and malware for the Windows platform at the end of this year... Now, I wonder which platform is more secure to use...
  • FyberOptic, on 05/16/2008, -11/+4Apple? Having security issues? Say it aint so!

    One day people will realize that Apple is actually one of the worst companies in terms of security. If they had more marketshare, they'd be ***** so hard that prostitutes would be jealous.
  • brianpocock, on 05/16/2008, -7/+8Just another example of Poor software from Apple and their "who cares, just so long as our hardware is over priced and looks pretty who's to know" attitude
    • MrViklund, on 05/16/2008, -1/+2Just another comment from some Apple-hater that doesn't know what he/she is talking about.
      • jabberwolf, on 05/17/2008, -1/+1Actually its correct and he does know what he is talking about.

        Apple has the highest markup on their hardware than any other vendor.
  • Hamsterpotpies, on 05/16/2008, -10/+7And this is why I don't use a mac.
  • shdwsclan, on 05/16/2008, -8/+3The better question to ask is......who actually uses safari.....

    Apple software is in no way better than windows software, except that unix/bsd part, which is open source and apple didnt write anyways. There is only a small chunk of darwin that is actually apple...
  • lukbut, on 05/16/2008, -3/+4I'd love to see Apple take control of the PC market. I love their products but they're really stubborn sometimes!
  • ZenMojo, on 05/16/2008, -1/+1So...Apple is only effective when they don't have to play in other peoples' yards? That's like being the best driver on your block without leaving your street. (Cue the Mac Attack Groupies flash mobbing the thread to diggbomb all dissent.)
    • deizel, on 05/16/2008, -1/+1I know what you mean, Microsoft was really effective in Mac's back yard with their Internet Explorer releases. Fail tbh.
  • MrViklund, on 05/16/2008, -3/+3FUD?
    I think Apple's security people know what they are talking about.
  • slcseifist, on 05/17/2008, -2/+2No one except Digg users care about Safari, Apple is a company that makes toys and Digg is full of little kids.
    • jonahan52, on 05/17/2008, -1/+1I love this one .. hehe .. I bet you built your computer right? You know most toys these days have fine print .. Some assembly required.
  • AppleMacStud, on 05/17/2008, -3/+1Get a Mac and you won't have to worry about this. 
  • cthellis, on 06/02/2008, -0/+1Both Apple and Microsoft need to get off their asses and fix the vulnerabilities. Apple especially needs to figure out who made that comment that's being quoted, because if indeed said vulnerability is "not being treated as a security issue," then they are plainly retarded. Smack that idiot upside the head and get on with it.

    That being said, has there ever been a time where Microsoft has effectively said "...and for Pete's sake, do NOT use IE until we can figure out how to fix this!" every time there's been a similarly-bad exploit in IE through their long, long history of IE exploits?
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.