Microsoft on Friday said it's investigating reports of "a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple's Safari Web browser has been installed."
An attacker could exploit the vulnerability by tricking a user into visiting a maliciously crafted Web site, which would initiate the download of malware without requiring the victim to take additional actions, according to Microsoft.
In a statement, Tim Rains, security response communications lead for Microsoft, said, "Safari is not installed with Windows XP or Windows Vista by default: It must be installed independently or through the Apple Software Update application."
Apple received considerable criticism in March when it opted to make its Safari Web browser available to Windows users by default, as part of an iTunes update. Mozilla CEO John Lilly said Apple's decision to do so "borders on malware distribution practices."
Microsoft has issued a Security Advisory that explains the issue and offers risk-mitigation advice. The company said that customers who have changed the default Safari download location are not at risk.
The issue arises from what security researcher Nitesh Dhanjani calls the Safari Carpet Bomb vulnerability. "It is possible for a rogue Web site to litter the user's Desktop (Windows) or Downloads directory (~/Downloads/ in Mac OS X)," he explained in a blog post.
"This can happen because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource. Safari downloads the resource without the user's consent and places it in a default location (unless changed). ... The implication of this is obvious: Malware downloaded to the user's desktop without the user's consent."
Dhanjani said he has brought three security vulnerabilities to Apple's attention and that Apple said it plans to fix one of the issues reported, an undisclosed Safari vulnerability that could allow a remote attacker to steal files from the user's system.