Windows Safari - Don't save files to the Desktop
Posted
Thursday, June 12, 2008 2:02 PM
by
hwaldron
Another new attack approach in addition to "carpet bombing" is noted in this article. As a safer and more managable practice, users should never save files to the desktop for any browser. Instead, setup a special folder called DOWNLOAD as a target for anything you save from email or web browsing. This way you can remember where it's stored plus isolate and scan it for malware as well.
Safari on Windows - not looking good
http://isc.sans.org/diary.html?storyid=4562
QUOTE: Now, when we combine these two vulnerabilities you get the following – a user visits a malicious web site with Safari. The web site causes Safari to automatically download the DLL file and store it on the desktop. The user now needs to open Internet Explorer from Desktop in order to automatically execute the DLL file. Keep in mind that the shortcut to Internet Explorer has to be on Desktop so the PATH environmental variable gets properly defined (it will make Internet Explorer search current directory for the DLL file).
Overall, the sky isn't falling, but in my opinion both Microsoft and Apple (Safari) should fix these "features". I don't see a reason why Internet Explorer would look for the DLL file in the current directory (this would effectively prevent this vulnerability). Apple should also fix Safari so it at least prompts the user before downloading the file.
If you are using Safari on Windows please change the default download location as described in Microsoft's advisory available at
http://www.microsoft.com/technet/security/advisory/953818.mspx