Saturday, June 21st, 2008

Clarification for “BK on Safari, hunting Firefox…”

Is Safari 3.12 affected by the vulnerability you mention in, BK on Safari, hunting Firefox?  The “carpet bomb” behavior COULD have been used in conjunction with Firefox to steal user files.  This specific scenario has been patched.
Can an attacker use other, non-obvious ways to abuse the Safari (3.12)/Firefox interaction to steal files from the local file system?  Yes, I know of three separate methods to accomplish this (Firefox 3 lessens the risk).  Vendors have been informed and no details will be provided to the public.  Don’t ask for additional details, I won’t give them until all this is straightened out.  


Whose fault is this?  That’s the whole point of the post.  We have interaction between different software from different vendors.  In isolation, the behaviors that are being abused here are not a high risk.  It’s only when you combine the behaviors does it constitute a risk.  Who should we blame?  I don’t know, I don’t think anyone really knows… lots of people have their opinions though. :)




Posted by xssniper | Filed in Uncategorized

  • Brenda

    we ought to all spend less time blaming, and more time fixing it

  • Billy Downer

    That’s clarification? I thought that the “Carpet Bomb” behaviour was fixed in 3.1.2. Are you saying it is not fixed? Are you really claiming that users should remove Safari 3.1.2 until Apple fix the issue? Because that’s how you’re being reported.

  • Billy Downer

    Are you saying that Safari 3.1.2 still displays the “Carpet Bomb” behaviour?

    This is what needs clarification.

  • Rev Brian Chambers


  • aussiebear

    The point is to find out what is the root cause of the problem, so it gets fixed and never happens again. It is NOT to blame.

    The problem is tech journalists will pick this up and sensationalize it. (That’s when people start assuming and blaming!)

    I have two questions though:

    (1) Does this affect issue Firefox 3 under Linux?

    (2) If I use Firefox 3 under Windows XP Pro, will the security issue work under a Limited User Account with Software Restriction Policy as defined here?


  • rob

    you first have to determine who’s responsible for the problem (whether through blame or other means). you can’t have a fix until that happens. remember the little spat between IE and Firefox about a year ago?

  • Kelley Bryant

    Good Stuff Billy…Keep it up