Microsoft Warns Of Security Vulnerability Arising From Apple's Safari - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Enterprise Architecture
News
5/30/2008
07:42 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Microsoft Warns Of Security Vulnerability Arising From Apple's Safari

Unless the default Safari download location is changed, an attacker could exploit the vulnerability by tricking a user into visiting a maliciously crafted Web site, Microsoft said.

Microsoft on Friday said it's investigating reports of "a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple's Safari Web browser has been installed."

An attacker could exploit the vulnerability by tricking a user into visiting a maliciously crafted Web site, which would initiate the download of malware without requiring the victim to take additional actions, according to Microsoft.

In a statement, Tim Rains, security response communications lead for Microsoft, said, "Safari is not installed with Windows XP or Windows Vista by default: It must be installed independently or through the Apple Software Update application."

Apple received considerable criticism in March when it opted to make its Safari Web browser available to Windows users by default, as part of an iTunes update. Mozilla CEO John Lilly said Apple's decision to do so "borders on malware distribution practices."

Microsoft has issued a Security Advisory that explains the issue and offers risk-mitigation advice. The company said that customers who have changed the default Safari download location are not at risk.

The issue arises from what security researcher Nitesh Dhanjani calls the Safari Carpet Bomb vulnerability. "It is possible for a rogue Web site to litter the user's Desktop (Windows) or Downloads directory (~/Downloads/ in Mac OS X)," he explained in a blog post.

"This can happen because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource. Safari downloads the resource without the user's consent and places it in a default location (unless changed). ... The implication of this is obvious: Malware downloaded to the user's desktop without the user's consent."

Dhanjani said he has brought three security vulnerabilities to Apple's attention and that Apple said it plans to fix one of the issues reported, an undisclosed Safari vulnerability that could allow a remote attacker to steal files from the user's system.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
Enterprise Guide to Edge Computing
Cathleen Gagne, Managing Editor, InformationWeek,  10/15/2019
News
Rethinking IT: Tech Investments that Drive Business Growth
Jessica Davis, Senior Editor, Enterprise Apps,  10/3/2019
Slideshows
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll