Saturday, June 21st, 2008

Clarification for “BK on Safari, hunting Firefox…”

Is Safari 3.12 affected by the vulnerability you mention in, BK on Safari, hunting Firefox?  The “carpet bomb” behavior COULD have been used in conjunction with Firefox to steal user files.  This specific scenario has been patched.
Can an attacker use other, non-obvious ways to abuse the Safari (3.12)/Firefox interaction to steal files from the local file system?  Yes, I know of three separate methods to accomplish this (Firefox 3 lessens the risk).  Vendors have been informed and no details will be provided to the public.  Don’t ask for additional details, I won’t give them until all this is straightened out.  


Whose fault is this?  That’s the whole point of the post.  We have interaction between different software from different vendors.  In isolation, the behaviors that are being abused here are not a high risk.  It’s only when you combine the behaviors does it constitute a risk.  Who should we blame?  I don’t know, I don’t think anyone really knows… lots of people have their opinions though. :)




Posted by xssniper | Filed in Uncategorized

7 Responses to “Clarification for “BK on Safari, hunting Firefox…””

  1. June 21st, 2008 at 10:20 pm

    Brenda said:

    we ought to all spend less time blaming, and more time fixing it

  2. June 22nd, 2008 at 1:22 am

    Billy Downer said:

    That’s clarification? I thought that the “Carpet Bomb” behaviour was fixed in 3.1.2. Are you saying it is not fixed? Are you really claiming that users should remove Safari 3.1.2 until Apple fix the issue? Because that’s how you’re being reported.

  3. June 22nd, 2008 at 1:26 am

    Billy Downer said:

    Are you saying that Safari 3.1.2 still displays the “Carpet Bomb” behaviour?

    This is what needs clarification.

  4. June 22nd, 2008 at 1:46 am

    Rev Brian Chambers said:


  5. June 22nd, 2008 at 2:25 am

    aussiebear said:

    The point is to find out what is the root cause of the problem, so it gets fixed and never happens again. It is NOT to blame.

    The problem is tech journalists will pick this up and sensationalize it. (That’s when people start assuming and blaming!)

    I have two questions though:

    (1) Does this affect issue Firefox 3 under Linux?

    (2) If I use Firefox 3 under Windows XP Pro, will the security issue work under a Limited User Account with Software Restriction Policy as defined here?


  6. June 23rd, 2008 at 12:54 pm

    rob said:

    you first have to determine who’s responsible for the problem (whether through blame or other means). you can’t have a fix until that happens. remember the little spat between IE and Firefox about a year ago?

  7. June 24th, 2008 at 10:30 am

    Kelley Bryant said:

    Good Stuff Billy…Keep it up

Please leave a Comment