Safari users risk littering their desktops with malicious software because the browser does not ask for user permission when downloading files in the way Firefox and Internet Explorer do, a security researcher said on Thursday.
In a blog post titled Safari Carpet Bomb, Nitesh Dhanjani describes how a rogue website can easily download resources to the Windows desktop or downloads directory on the Mac. "Apple does not feel this is an issue they want to tackle at this time," Dhanjani writes.
An Apple representative told Dhanjani that an "enhancement request" for an "Ask me before downloading anything" preference would be filed with the Safari team. "Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads," the Apple representative wrote in an email to Dhanjani.
That issue, coupled with the fact Safari doesn't warn users when a local resource, such as an HTML file, attempts to invoke client-side scripting, creates a risky situation for most browser users, Dhanjani said in an interview. "People are starting to expect more from browsers today," he said.
The Apple representative told him the company has been "investigating the potential for a 'safe' mode for local HTML".
Meanwhile, Apple does plan to fix a high-risk security vulnerability Dhanjani discovered. It could be used to remotely steal local files from a user's file system.
An Apple spokesman did not return a phone call and email seeking comment.
Talkback
This relies on social engineering. You would easily see all the downloads (and could delete them in one fell swoop) from the downloads window in Safari.
The second vuln though, the one that Apple will fix, is a problem that should be fixed.
"Safari users risk littering their desktops with malicious software because the browser does not ask for user permission when downloading files in the way Firefox and Internet Explorer do, a security researcher said on Thursday."
These days most files download to the DOWNLOADS folder and not the desktop...
This is not a security issue on a Mac because while Safari doesn't ask permission before downloading an application, the System queries any executable downloaded from the internet before opening it, including an offer to take you to the web site it was actually retrieved from.
As usual, the news media goes off half-cocked without asking any savvy Mac users what the situation really is.
This doesn't preclude human engineering, but there will always be folk who download files from dodgy sites, ignore the warnings, insert their banking details then moan when their accounts are stripped.