On Jun 4, 2008, at 11:13 AM, mike wrote:
http://www.pcworld.com/article/id,145985-page,1/article.html?tk=synd_macworld
A good explanation of the problem from a mac source. The bottom
line is
this apparently: The problem arises "because the Safari browser
cannot be
configured to obtain the user's permission before it downloads a
resource,"
This is a feature issue, not a security issue, ie social engineering.
If the user says "Yes" and downloads the malware including package to
the desktop, boom, package delivered. The problem is the
vulnerability being exploited on the Windows side. Can you name any
browser that natively will not download malware even if the users
approves?
The other main sticking point is that even if MS fixes their bug,
and they
are already doing so, the safari bug will STILL AFFECT systems. The
same
problem that works in conjuction with the MS bug, can be exploited
in other
ways.
How? By downloading malware to another vulnerable location? Again,
this is Safari's problem?
*************************************************************************
** List info, subscription management, list rules, archives, privacy **
** policy, calmness, a member map, and more at http://www.cguys.org/ **
*************************************************************************
