Safari on Windows - not looking good
Last month Mark posted a diary about a security issue for users using Safari on Windows. There has been a lot of discussion about this over the past few weeks. The issue is not a typical security vulnerability in a product, but a blended threat that is specific for Safari on Windows – a combined attack called "Safari Carpet Bomb".
Over the last weekend, a security researcher released proof of concept code that exploits this "feature" in Safari with another "feature" in Windows (yeah, a lot of "features" working together = a vulnerability).
The two "features" we're talking about here are these:
- In some cases, Internet Explorer will load DLLs from Desktop. This is an old "feature" that has been known since December 2006. It also works, as far as I'm aware, only with Internet Explorer 7 (and probably 8 beta) on Windows XP. My tests failed on Vista.
- Safari for Windows will, by default, save files on Desktop. This would not normally be a problem, but Safari does that without any prompts to the user (Firefox does the same, for example, but prompts the user before saving the file).
Now, when we combine these two vulnerabilities you get the following – a user visits a malicious web site with Safari. The web site causes Safari to automatically download the DLL file and store it on the desktop. The user now needs to open Internet Explorer from Desktop in order to automatically execute the DLL file. Keep in mind that the shortcut to Internet Explorer has to be on Desktop so the PATH environmental variable gets properly defined (it will make Internet Explorer search current directory for the DLL file).
Overall, the sky isn't falling, but in my opinion both Microsoft and Apple (Safari) should fix these "features". I don't see a reason why Internet Explorer would look for the DLL file in the current directory (this would effectively prevent this vulnerability). Apple should also fix Safari so it at least prompts the user before downloading the file. Apple already said that they don't consider this to be a security issue (which is partially correct), but since other browsers do this (at least Firefox and Internet Explorer), and it is good security practice, my humble opinion is that Apple should change this behavior.
Since the proof of concept is easily available, if you are using Safari on Windows please change the default download location as described in Microsoft's advisory available at http://www.microsoft.com/technet/security/advisory/953818.mspx.
UPDATE
We received some really good submissions from our readers. Will Dormann did quite a bit of testing on this vulnerability and noticed that Internet Explorer on Windows XP SP2 behaves strangely and loads the DLL when it really shouldn't. The article at http://msdn.microsoft.com/en-us/library/ms682586.aspx describes the DLL search order. On Windows XP SP2, SafeDllSearchMode should be enabled by default and this should cause the current directory to drop to the 5th place in the search order but for some reason Internet Explorer doesn't seem to follow this. Will confirmed that SafeDllSearchMode works as expected for other binaries, but IE looks special.
We also received several submissions stating that all versions of Internet Explorer (6 to 8) are affected. This also confirms what Brian Krebs wrote at http://blog.washingtonpost.com/securityfix/2008/06/revisiting_the_safari_vulnerab_1.html
Finally, Jerry reminded us that generally it's not a good idea to store files on the desktop in the first place, and I agree with this. By storing downloaded files in a special folder you will make sure that you can't execute them by mistake.
--
Bojan
Web App Penetration Testing and Ethical Hacking | Munich | Oct 14th - Oct 19th 2024 |
Comments
JoelB
Jun 12th 2008
1 decade ago
ztirffritz
Jun 12th 2008
1 decade ago
Apart from a dll on the desktop there are at least two other issues. Consider this file written to the desktop:
[InternetShortcut]
url=file:c:\windows\system32\calc.exe
Hotkey=13
After logging off and back on, pressing Enter will cause calc to start.
Another issue is with a file dropped on the desktop called isc.sans.org.lnk: if the user types isc.sans.org in the MSIE url-field, the shortcut will execute. AFAIK this was first mentioned by Roger A. Grimes here in 2006: http://www.infoworld.com/article/06/05/19/78413_21OPsecadvise_1.html
Bitwiper
Jun 12th 2008
1 decade ago
Bitwiper
Jun 12th 2008
1 decade ago