[ insider_reports_insider ]
Apple's Odd Attitude About Safari
David Utter
Staff Writer
2008-05-16
 Insider Reports RSS Feed
The hallmark of Apple's products makes them work as invisibly as possible for their users. In the case of the Safari web browser, it downloads items without letting people know it's happening.
 | | Apple's Odd Attitude About Safari |  |
Most browser users probably have a passing familiarity with the dialogue box that pops up to ask whether or not they want to open or save something to their machines. With security concerns always a pertinent issue when surfing the Internet, it makes sense to have this little failsafe in place to catch something that might quietly load in the background.
Apple isn't all that worried about what its Safari users pick up in the World Wide Jungle. According to security researcher Nitesh Dhanjani, Safari's behavior enables a potential "carpet bombing" of one's machine with annoying files, or worse, malware.
"It is possible for a rogue website to litter the user's Desktop (Windows) or Downloads directory (~/Downloads/ in OSX). This can happen because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource," he said.
"Safari downloads the resource without the user's consent and places it in a default location (unless changed)."
He has been in touch with Apple over this and a couple of other security issues. Dhanjani repeatedly praised Apple's security team for its responsiveness.
We don't think many security pros will be as generous or forgiving. Silent behavior on the part of a widely used application, behavior that can have a deleterious effect, makes the task of keeping a machine secure incrementally more difficult.
Dhanjani cited part of Apple's response to the issue: ...the ability to have a preference to "Ask me before downloading anything" is a good suggestion. We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.
Security remains a trade off of safety and convenience. The absolute safest environment would be the least convenient to people; indeed, I've heard it suggested from a major security vendor that this is part of the reason why more banks aren't offering two-factor authentication for their online services.
Those same people who can't handle typing in a number off a key fob into a login screen would be ideal victims for Dhanjani's carpet bombing scenario. Let's hope Apple decides a malware breakout merits a little urgency from their Human Interface engineers.
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More insider_reports_insider Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
