Apple exposed Mac users to security hole for two years

A security hole in Apple’s Safari went unfixed for two years while Windows users were protected.

The flaw was found by insecurity expert Nitesh Dhanjani who worked out how to do a carpet bomb on a system using Safari as an attack vector.

According to Reuters, when he warned Apple about the problem they said it was more of an annoyance than anything else and it wanted to ignore it.

However, soon after Dhanjani went public with the flaw in May 2008, another security researcher showed how carpet bombing could be combined with another Windows attack to run unauthorised software on a Windows PC.

Since it had proved that it was a problem for Windows users, Apple then shipped a fix for Safari on Windows, but not for Safari on Mac OS X.

Dhanjani said that even if no one has shown how to perform the same attack on the Mac OS X version of Safari, Apple should fix the issue on both platforms.

In a carpet bomb attack, the victim visits a malicious Web site, which then starts downloading unauthorised files to the victim’s computer without any sort of approval.

While most sane Web browsers warn the user and ask for explicit permission before saving a file locally, Safari goes ahead and saves the file into the default download location without asking.

Dhanjani believes Apple hasn’t fixed the problem because it might annoy Mac users to be asked if they want to download a file. “Apple wants to make everything so seamless that they don’t want the user to have to go through this extra process,” he said.

But this is exactly the same position that Microsoft found itself in a few years ago. It was castigated because its browser was choosing usability over security.

Either way, when Microsoft does not fix a flaw for two years it gets blasted by the US trade press. However this flaw has largely gone unreported and therefore unfixed.  If there become enough numbers for hackers to bother with the MacOS, then Apple is going to face a huge task of fixing its software going back years.