The 2008 Pwnie Nominee For Best Client-Side Bug

Safari carpet bomb (CVE-2008-2540)

Discovered by: Laurent Gaffié, Nitesh Dhanjani and Aviv Raff

Nitesh Dhanjani discovered a design error in Safari that allows an attacker to automatically download files to the user’s configured download directory (~/Downloads on Leopard, the desktop on previous versions of OS X and Windows). This can be used for a variety of attacks. First, you can litter the user’s desktop with files or drop malware onto their desktop, hoping that the user will click run it. Or you can just let Internet Explorer load a planted DLL automatically. This vulnerability also has the dubious distinction of bringing the term “blended threat” into the security vernacular.

(CVE-2008-2540)