CNET también está disponible en español.

Ir a español

Don't show this again

SpaceX launches 'mighty mice,' beer barley Spotify Wrapped 2019 Cyber Monday The Mandalorian ep 5 James Bond No Time to Die trailer Baby Yoda plush

Apple dismisses Safari vulnerability

Security researcher says Apple not interested in fixing vulnerability that puts users at risk of downloading malware to their desktop but will fix a separate high-risk security issue in Safari.

Safari users are at risk of littering their desktops with malicious software because the browser does not ask for user permission when downloading files in the way that Firefox and Internet Explorer do, a security researcher said Thursday.

In a blog post titled "Safari Carpet Bomb," Nitesh Dhanjani describes how a rogue Web site can easily download resources to the Windows desktop or downloads directory on the Mac.

"Apple does not feel this is an issue they want to tackle at this time," he writes.

An Apple representative told Dhanjani that an "enhancement request" for an "Ask me before downloading anything" preference would be filed with the Safari team. "Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads," the Apple representative wrote in an e-mail to Dhanjani.

That issue, coupled with the fact that Safari doesn't warn users when a local resource, such as an HTML file, attempts to invoke client-side scripting, creates a risky situation for most browser users, Dhanjani said in an interview. "People are starting to expect more from browsers today," he said.

The Apple representative told him that the company has been "investigating the potential for a 'safe' mode for local HTML."

Meanwhile, Apple does plan to fix a high-risk security vulnerability that Dhanjani discovered. It could be used to remotely steal local files from a user's file system.

An Apple spokesman did not return a phone call and e-mail seeking comment.

"Since Safari does not know how to render content-type of blah/blah, it will automatically start downloading carpet_bomb.cgi every time it is served. If you are using Safari in Windows, this is what will happen to your desktop once you visit," Dhanjani writes in explaining this screenshot. Nitesh Dhanjani