Microsoft Warns Of Security Vulnerability Arising From Apple's Safari - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Enterprise Architecture
07:42 PM
Connect Directly

Microsoft Warns Of Security Vulnerability Arising From Apple's Safari

Unless the default Safari download location is changed, an attacker could exploit the vulnerability by tricking a user into visiting a maliciously crafted Web site, Microsoft said.

Microsoft on Friday said it's investigating reports of "a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple's Safari Web browser has been installed."

An attacker could exploit the vulnerability by tricking a user into visiting a maliciously crafted Web site, which would initiate the download of malware without requiring the victim to take additional actions, according to Microsoft.

In a statement, Tim Rains, security response communications lead for Microsoft, said, "Safari is not installed with Windows XP or Windows Vista by default: It must be installed independently or through the Apple Software Update application."

Apple received considerable criticism in March when it opted to make its Safari Web browser available to Windows users by default, as part of an iTunes update. Mozilla CEO John Lilly said Apple's decision to do so "borders on malware distribution practices."

Microsoft has issued a Security Advisory that explains the issue and offers risk-mitigation advice. The company said that customers who have changed the default Safari download location are not at risk.

The issue arises from what security researcher Nitesh Dhanjani calls the Safari Carpet Bomb vulnerability. "It is possible for a rogue Web site to litter the user's Desktop (Windows) or Downloads directory (~/Downloads/ in Mac OS X)," he explained in a blog post.

"This can happen because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource. Safari downloads the resource without the user's consent and places it in a default location (unless changed). ... The implication of this is obvious: Malware downloaded to the user's desktop without the user's consent."

Dhanjani said he has brought three security vulnerabilities to Apple's attention and that Apple said it plans to fix one of the issues reported, an undisclosed Safari vulnerability that could allow a remote attacker to steal files from the user's system.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Why 2021 May Turn Out to be a Great Year for Tech Startups
John Edwards, Technology Journalist & Author,  2/24/2021
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll