Security threats Toolkit

Apple dismisses Safari vulnerability claims

Elinor Mills CNET News.com

Published: 16 May 2008 08:49 BST

Safari users risk littering their desktops with malicious software because the browser does not ask for user permission when downloading files in the way Firefox and Internet Explorer do, a security researcher said on Thursday.

In a blog post titled Safari Carpet Bomb, Nitesh Dhanjani describes how a rogue website can easily download resources to the Windows desktop or downloads directory on the Mac. "Apple does not feel this is an issue they want to tackle at this time," Dhanjani writes.

An Apple representative told Dhanjani that an "enhancement request" for an "Ask me before downloading anything" preference would be filed with the Safari team. "Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads," the Apple representative wrote in an email to Dhanjani.

Watch this

Google: Security must always be on

That issue, coupled with the fact Safari doesn't warn users when a local resource, such as an HTML file, attempts to invoke client-side scripting, creates a risky situation for most browser users, Dhanjani said in an interview. "People are starting to expect more from browsers today," he said.

The Apple representative told him the company has been "investigating the potential for a 'safe' mode for local HTML".

Meanwhile, Apple does plan to fix a high-risk security vulnerability Dhanjani discovered. It could be used to remotely steal local files from a user's file system.

An Apple spokesman did not return a phone call and email seeking comment.

Credit: Apple dismisses Safari vulnerability from CNET News.com