The recent Safari Carpet Bombing bug reported by Nitesh Dhanjani and ignored by Apple had all the makings of an egg-on-face incident. We were discussing it over foosball, and the obvious consensus was “if a line starts with: “thats not exploitable, its only..” then odds are you are wrong..”
But.. lots of people quicker and smarter than me [1, 2, 3] blogged (or twittered) about why this was a silly approach for apple to take..
Interestingly.. Microsoft bloggers were quick to pounce on this PR-Fiasco in the making. Microsoft released a security advisory commenting on the danger of a “blended threat” – Now.. by accident (or by design) that advisory looks a lot like – “This is an Apple screwup!”, indeed one of the solutions is: “Restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.”
The advisory (now) also credits “Aviv Raff” for his report. LiuDieYu0
filled in the details, pointing to Avivs 2006 Finding, which is a pure DLL search order bug (which incidentally was published as an IE7 bug). So now the Microsoft folks who were sneering at Safari all end up shuffling their feet a little while looking at the floor. All credit to RHensing from Microsoft, who quickly awarded Microsoft the FAIL open goat award too.. *ouch*
Like sands through the hourglass…