Full Report
The recent Safari Carpet Bombing bug reported by Nitesh Dhanjani and ignored by Apple had all the makings of an egg-on-face incident. We were discussing it over foosball, and the obvious consensus was “if a line starts with: “thats not exploitable, its only..” then odds are you are wrong..” But.. lots of people quicker and smarter than me [1, 2, 3] blogged (or twittered) about why this was a silly approach for apple to take..
Analysis Summary
Based on the provided article, the information regarding CVE identifiers, specific technical details, and official severities is largely absent as the text focuses on the public reaction, organizational behavior, and general description of the flaw rather than official tracking data. The article references a "Safari Carpet Bombing bug."
Here is the summary structured as requested, filling in inferred or missing data based on the context provided:
# Vulnerability: Safari Carpet Bombing Bug (2008 Context)
## CVE Details
- CVE ID: [Information not specified in the text, historical context suggests a relevant ID would exist]
- CVSS Score: [Score not specified] ([Severity not specified])
- CWE: [Weakness type not specified, possibly related to DLL search order or resource loading]
## Affected Systems
- Products: Apple Safari (Browser)
- Versions: [Vulnerable versions not explicitly listed, assumed to be prior to a patch released around June 2008]
- Configurations: Standard installations of the affected Safari versions.
## Vulnerability Description
The vulnerability is described conceptually as a "Carpet Bombing bug" reported by Nitesh Dhanjani. The core discussion revolves around the initial dismissal of the finding by Apple ("thats not exploitable, its only...") followed by broader community discussion suggesting it *was* exploitable. While the article heavily hints at a dynamic library/DLL search order issue (similar to a finding by Aviv Raff from 2006 regarding IE7), the precise technical details specific to the Safari flaw are not fully elaborated upon, other than its potential for being a "blended threat."
## Exploitation
- Status: Implied to be demonstrable/exploitable, as security vendors and researchers commented on its severity despite Apple's initial stance.
- Complexity: [Not specified, but the context implies it was significant enough to warrant vendor advisories]
- Attack Vector: Likely Network/Remote (via browsing a malicious page).
## Impact
- Confidentiality: [Impact level not specified]
- Integrity: [Impact level not specified]
- Availability: [Impact level not specified]
## Remediation
### Patches
- [Specific patch versions are not listed. The context implies Apple released an update following the controversy.]
### Workarounds
- Microsoft's advisory suggested: "Restrict use of Safari as a web browser until an appropriate update is available."
## Detection
- [Specific Indicators of Compromise (IOCs) are not detailed.]
- [Detection methods are not detailed.]
## References
- Initial Report: [defanged] http://www.dhanjani.com/archives/2008/05/safari_carpet_bomb.html
- Microsoft Advisory (Referencing the danger): [defanged] http://www.microsoft.com/technet/security/advisory/953818.mspx
- Related research noted (Aviv Raff): [defanged] http://aviv.raffon.net/CommentView,guid,e2cf6515-db9a-4409-9127-daee249ad5de.aspx