http://www.pcworld.com/article/id,145985-page,1/article.html?tk=synd_macworld
A good explanation of the problem from a mac source. The bottom line is this apparently: The problem arises "because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource," The other main sticking point is that even if MS fixes their bug, and they are already doing so, the safari bug will STILL AFFECT systems. The same problem that works in conjuction with the MS bug, can be exploited in other ways. Apple users have been told for so long they are more secure, common sense eludes them. That last pwn to own contest should have taken some of the air out of these mac zealots...the guy that cracked the mac did so because in his words it was the easiest platform to attack. I'm starting to think that only an all out attack on os x will ever convice some users. But then security by keeping the base users numbers so low that it's not worth an attack seems to work as well. Mike On Wed, Jun 4, 2008 at 6:18 AM, Matthew Taylor <[EMAIL PROTECTED]> wrote: > Is it really a flaw? As I understand it from what I have read on the web, > Safari will download what you tell it to where you have told it to. In the > case of Windows, the default is the desktop, a fairly common choice. > Unfortunately for windows users, the desktop is an unsafe location because > executables on the desktop work differently, read more permissively, than > elsewhere. The flaw in my view is thus on the Windows desktop. Safari > already has a fix available - choose a different location. What would you > have Apple do - code Safari to break the aspect of Windows that allows > executables from the desktop? > > Matthew > > > On Jun 3, 2008, at 2:52 PM, mike wrote: > > They are naive and code badly because of it? You keep spinning and yer >> gonna get dizzy. Apple also said they aren't going to fix the issue. >> Professionalism? Google apple microsoft zero day patch and you'll hit >> articles showing apple is so professional they lag behind in issuing zero >> day patches compared to MS. >> >> So to sum up. Safari has a flaw, that enables a second flaw in explorer >> to >> be exploited. MS is going to patch explorer, Apple has zero plans to >> patch >> even though when MS patches, the safari bug will still have security >> effects >> on the system. And you think MS is less professional then Apple is used >> to >> working with? >> >> Mike >> >> On Tue, Jun 3, 2008 at 9:41 AM, Tom Piwowar <[EMAIL PROTECTED]> wrote: >> >> Comments I've read from Windows programmers suggest that Apple's >>> programmers may be a bit too naive about Windows. Despite hearing all the >>> stories about Windows' foulness they still assume a higher level of >>> quality and professionalism than Microsoft is able to deliver. >>> Consequently problems like this fall through. >>> >>> Still, what is it about the Windows desktop that is particularly >>> dangerous? Should I be concerned about keeping any files on the desktop? >>> >>> The last paragraph is the critical one for Tom to notice. >>>> * >>>> According to Raff, unless Apple patches the bug, more attacks like the >>>> one >>>> he found in IE are likely to pop up. "This is not the only issue that >>>> can >>>> >>> be >>> >>>> combined with the Safari vulnerability," he said. "If Microsoft fixes >>>> >>> this, >>> >>>> Safari users will still be vulnerable." >>>> >>> >>> > > ************************************************************************* > ** List info, subscription management, list rules, archives, privacy ** > ** policy, calmness, a member map, and more at http://www.cguys.org/ ** > ************************************************************************* > ************************************************************************* ** List info, subscription management, list rules, archives, privacy ** ** policy, calmness, a member map, and more at http://www.cguys.org/ ** *************************************************************************
