Safari Carpet Bombing - A Bug in Different Context

The past weeks the issue with Apple's Safari browser have received very high media coverage.

For a short recap, the “carpet bombing” vulnerability will dump a large number of files in the users desktop from a malicious web site without any action from the user.

The issue that i would like to stress is that Apple has clasified this problem as a 'nuisance', and has sheduled it's fix for sometime this fall. It is a perfect example of the different views that customers and software companies take on the same issue.

In the previous analysis on the subject, we presented the most frequent reasons for this behaviour of the software companies

  1. There are insufficient human resources to address the issue
  2. There are profitable change requests or projects to to address, so this element is merely postponed since the software company will not see a profit from engaging their resources into correcting this problem.
  3. The problem is caused by a design flaw in the system, that is either very difficult or impossible to rectify in a reasonable time and within reasonable budget

Apple's reasons are to shrug off the 'carpet bombing' flaw are unknown at the moment. But I fear that Apple forgets several critical facts of the current state of things

  1. The Safari browser is not the only browser on the market, even for MacOS systems.
  2. The price of all browsers is the same - ZERO USD.
  3. Users are becoming highly aware of their security, and wish to be well protected by the vendors (remember the notoriety of security issues in Microsoft)

In the descriped environment, there will be adverse impact from Apple's decision, with people abandoning Safari in favor of other browsers. And if Steve Jobs wants to promote Apple as a platform, this is not the way to go.

Related posts

http://www.shortinfosec.net/2008/04/sla-lesson-software-bug-blues.html
http://blogs.zdnet.com/security/?p=1212
http://www.theregister.co.uk/2008/05/15/apple_safari_carpet_bombing_vuln/

Talkback and comments are most welcome

No comments:

Designed by Posicionamiento Web