carpet bombing::Apple let me know that they will fix 1 of the issues i reported carpet bombing

carpet bombing

carpet bombing

carpet bombing::Apple let me know that they will fix 1 of the issues i reported.
I will not discuss the vulnerability apple has promised to fix until they release the fix because it is a high risk issue affecting safari on osx and windows.
Just let me know if you would like me to wait for some amount of time before i do this.
Response from apple: we understand if you want to discuss these in the security community.
Before i get to the details, i want to make it extremely clear that the apple security team has been a pleasure to communicate with.
I sent them a couple of emails asking for clarifications, and they responded quickly and courteously every time.
I want to publicly acknowledge that i appreciate this very much.
Cgi every time it is served.
Apple does not feel this is a issue they want to tackle at this time.
In my most recent email to apple, i suggested that they incorporate an option in safari so the browser can be configured to ask the user before anything is downloaded to the local file system.
We can file that as an enhancement request for the safari team.
Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads.
This will require a review with the human interface team.
We want to set your expectations that this could take quite a while, if it ever gets incorporated.
Sandbox not applied to local resources.
This issue is more of a feature set request than a vulnerability.
For example, internet explorer warns users when a local resource such as an html file attempts to invoke client side scripting.
This is an area that requires a fairly deep investigation to address compatibility issues, and to determine the proper operation.
Please understand that when we label this as a security hardening measure, we are not discounting the benefits that this could have.
Apple responded positively and let me know that they are actively working to resolve the issue and issue a patch.
I will post an update if i hear back from them.