Apple under pressure to fix Safari 'carpet bomb' flaw

The Google-backed StopBadware.org coalition has called on Apple to rethink its stance on whether the Safari "carpet bomb" issue reported by Nitesh Dhanjani constitutes a serious security risk. Dhanjani originally discovered than it is possible for a booby-trapped Web site to litter the user's Desktop (Windows) or Downloads directory (~/Downloads/ in OSX) with executables masquerading as legitimate icons. "This can happen because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource. Safari downloads the resource without the user's consent and places it in a default location (unless changed)," Dhanjani said, warning that it could be used as a drive-by malware distribution mechanism. [ See Nate's post for background ] Apple has classified Dhanjani's...