Government // Enterprise Architecture
07:42 PM
Connect Directly

Microsoft Warns Of Security Vulnerability Arising From Apple's Safari

Unless the default Safari download location is changed, an attacker could exploit the vulnerability by tricking a user into visiting a maliciously crafted Web site, Microsoft said.

Microsoft on Friday said it's investigating reports of "a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple's Safari Web browser has been installed."

An attacker could exploit the vulnerability by tricking a user into visiting a maliciously crafted Web site, which would initiate the download of malware without requiring the victim to take additional actions, according to Microsoft.

In a statement, Tim Rains, security response communications lead for Microsoft, said, "Safari is not installed with Windows XP or Windows Vista by default: It must be installed independently or through the Apple Software Update application."

Apple received considerable criticism in March when it opted to make its Safari Web browser available to Windows users by default, as part of an iTunes update. Mozilla CEO John Lilly said Apple's decision to do so "borders on malware distribution practices."

Microsoft has issued a Security Advisory that explains the issue and offers risk-mitigation advice. The company said that customers who have changed the default Safari download location are not at risk.

The issue arises from what security researcher Nitesh Dhanjani calls the Safari Carpet Bomb vulnerability. "It is possible for a rogue Web site to litter the user's Desktop (Windows) or Downloads directory (~/Downloads/ in Mac OS X)," he explained in a blog post.

"This can happen because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource. Safari downloads the resource without the user's consent and places it in a default location (unless changed). ... The implication of this is obvious: Malware downloaded to the user's desktop without the user's consent."

Dhanjani said he has brought three security vulnerabilities to Apple's attention and that Apple said it plans to fix one of the issues reported, an undisclosed Safari vulnerability that could allow a remote attacker to steal files from the user's system.

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of October 23, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll