"Just a short time after Apple's recent acknowledgement of and patch of the Safari Carpet Bomb "blended" IE flaw,
blogger Nate McFeters of ZDNet's Zero-Day blog has pointed to research by Billy Rios of Microsoft that shows that the attack is still useful in a "blended" attack, this time with Firefox 2/3. Rios claimed that he is able to use the Safari Carpet Bomb attack, despite the recent patch, to steal arbitrary files from victims who also have Firefox 2/3 installed.
McFeters pointed out that Apple, which took some heat for not originally patching the issue, actually did a good job of addressing the issue, as it was not originally understood that code execution was possible (the details came out later). Rios seemed to echo a positive response by Apple in addressing the original issue, despite the media's portrayal.
Details of Rios's specific attack vector have been withheld until Apple has had time to patch or respond to this issue, but both researchers (McFeters and Rios) commented on the new attack threat that these blended types of attacks provide, and questioned who's responsibility it is to test for and fix these issues.
(email not shown publicly)
Had a Comment Modded Up
Days Read in a Row
You know, Callahan's is a peaceable bar, but if you ask that dog what his
favorite formatter is, and he says "roff! roff!", well, I'll just have to...