An anti-malware organization has called on Apple Inc. to beef up its Safari Web browser to protect users from exploits that could let attackers download malicious code to a Mac or Windows user's desktop.
Stopbadware.org, a group founded by Google, Chinese computer maker Lenovo Group Ltd. and Sun Microsystems Inc., on Monday asked Apple to reconsider its refusal to address the flaw as a security problem.
"StopBadware.org believes that users should have control over software being downloaded to their computers, and we encourage Apple to reconsider its stance and treat this as the security issue that it is," Stopbadware.org said in an appeal posted to its Web site.
The group's concern centered around an issue made public a week ago by Nitesh Dhanjani, a security researcher and the co-author of the book Network Security Tools. In a post to his own blog last week, Dhanjani spelled out what he called a "carpet bomb" attack possible via Safari.
According to Dhanjani, attackers could take advantage of the fact that Safari lacks an option to require a user's permission to download a file. Those attackers, Dhanjani claimed, could populate a malicious site with rogue code that in turn would automatically litter a user's desktop with malware.
Although Dhanjani praised Apple's security team for its rapid response to his queries, he also noted that the Cupertino, Calif.-based computer and consumer electronics maker passed on updating Safari to lock out such attacks.
After he suggested that Apple add a setting to Safari that could be toggled to ask the user before downloads are allowed, Dhanjani said he received this reply from the company's security group: "...the ability to have a preference to 'Ask me before downloading anything' is a good suggestion. We can file that as an enhancement request for the Safari team."
However, the issue is not a security problem, said Apple. "Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads."
Other browsers, including Microsoft Corp.'s Internet Explorer and Mozilla's Firefox, include options that prompt users before initiating downloads of some or all file types.
"Assuming Nitesh's analysis is accurate, 'unwanted downloads,' as Apple calls them, represent a serious security threat to users, who can be easily tricked into executing a malicious file," argued Stopbadware.org.
The group has rebuked Apple before. In March, when Apple started using its software update utility to push Safari 3.1 to Windows users , Stopbadware.org first noted the move , then later said that, following its usual practice, it had notified Apple it would soon issue a "badware" alert for the company's Software Update.
The day before Stopbadware.org was set to release that alert, Apple modified how the updater offered Safari 3.1, separating updates for already-installed programs from offers to install new software.
Apple did not reply to a request for comment on its security team's decision against adding a user-approval option to Safari.
For more enterprise computing news, visit Computerworld. Story copyright © 2007 Computerworld Inc. All rights reserved.
- Sponsored Resource:Are you ready for virtualization? Try the sever assessment tool.
- Sponsored Resource:Stay at home servers. Learn more about a home server for your family.
- Sponsored Resource:Get the communications, data, and security a business needs in one neat package. Learn more.
- Sponsored Resource:Learn more about ultra light notebooks from Asus and the best warranty in the industry.
- Sponsored Resource:Thinking about a new Laptop? Lenovo has models to meet everyone's needs.
- Sponsored Resource:Get the truth about remanufactured ink. Learn more from HP.
- Sponsored Resource:Small budget, big impact. Create Brochures that pop with HP laser jets printers.
- Sponsored Resource:Six smart ways to grow small business IT
News For Your Business
- Watch Out for an IE Zero-Day Attack
- Trojan Poses as July 4th Video
- Malware is Getting Smarter, F-Secure Warns
- Malware, Spam, and other Net Pests Rev Up
- Security Firm Reports Trojan Targets Macs
Community Comments