From Dark Reading

Google Chrome also prone to similar attacks

Apple fixed the so-called "carpet bomb" vulnerability in its Safari browser for Windows after Microsoft issued a security advisory about it in July 2008, but to date the very same flaw in Safari for OS X is still unpatched.

Security researcher Nitesh Dhanjani, who alerted Apple of the flaw in May 2008, says the threat of an attacker exploiting this bug is alive and well today, especially with the growth in popularity of Safari and OS X. He says in 2008 Apple told him it didn't consider the issue a security vulnerability but more of a design issue, and that it didn't have plans to fix it anytime soon.

Dhanjani says the vulnerability could let a bad guy download malicious binaries and data files into the browser's Downloads folder without the user knowing because Safari does not ask the user whether he wants to save the file on his machine, which most other browsers do. So when a user visits a malicious website, Safari would allow the site to download files without prompting the user. "It just drops them into the Downloads folder and can serve you thousands of files without your knowing," Dhanjani says.

The main threat the flaw poses is a denial-of-service attack on the victim's machine, he says. The carpet bomb DoS attack would wipe out a session and "whatever you were working on would be gone," he says.

[More...] [Comments...]