Saturday, June 21st, 2008
Is Safari 3.12 affected by the vulnerability you mention in, BK on Safari, hunting Firefox? The “carpet bomb” behavior COULD have been used in conjunction with Firefox to steal user files. This specific scenario has been patched.
Can an attacker use other, non-obvious ways to abuse the Safari (3.12)/Firefox interaction to steal files from the local file system? Yes, I know of three separate methods to accomplish this (Firefox 3 lessens the risk). Vendors have been informed and no details will be provided to the public. Don’t ask for additional details, I won’t give them until all this is straightened out.
Whose fault is this? That’s the whole point of the post. We have interaction between different software from different vendors. In isolation, the behaviors that are being abused here are not a high risk. It’s only when you combine the behaviors does it constitute a risk. Who should we blame? I don’t know, I don’t think anyone really knows… lots of people have their opinions though.