You’ve probably heard of the current problem with Safari running under Windows. It’s basically a trivial method to “carpet bomb” a users desktop (or other folder) with files.
Now, as far as I can tell, it’s not a way to actually execute code on a user’s system. It merely provides the ability to put tons of files on a system, which could then be executed.
However, according to the Nitesh Dhanjani, who discovered the exploit, Apple believes this is not an issue and won’t be fixing it.
“…the ability to have a preference to “Ask me before downloading anything” is a good suggestion. We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.” [Emphasis mine]
Nitesh goes to great pains to emphasize that Apple has been extremely responsive and a great pleasure to do deal with. And I have no doubt that they have been — Apple is comprised of a great deal of very nice, very smart people.
But maybe they don’t understand the Windows environment, in the broadest sense. They’ve shown they don’t understand the mores of Windows users, by forcing out security updates that include an unrelated application. And maybe they don’t understand our security environment. Perhaps life has been so pleasant in Apple Land that it’s like taking someone from the back-country and throwing them into the hardest areas of New York.
Anyone who has ever seen an infected spyware system knows what the desktop looks like: It’s a sea of icons providing shortcuts to various dubious sites. This method provides exactly that type of capability — a malware author can push all kinds of junk onto a desktop, saying ”Click me for special savings!” and it could very well be malware.
But you’d have to have gone through that to understand how bad a “carpet bomb” can actually be. Perhaps Apple folks have been living in a bubble and simply haven’t seen this thing.
I hope this is fixed soon. Thankfully, Safari’s usage is still under 3%.