Sponsored By

Microsoft Warns Of Security Vulnerability Arising From Apple's Safari

Unless the default Safari download location is changed, an attacker could exploit the vulnerability by tricking a user into visiting a maliciously crafted Web site, Microsoft said.

Thomas Claburn

May 30, 2008

2 Min Read

Microsoft on Friday said it's investigating reports of "a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple's Safari Web browser has been installed."

An attacker could exploit the vulnerability by tricking a user into visiting a maliciously crafted Web site, which would initiate the download of malware without requiring the victim to take additional actions, according to Microsoft.

In a statement, Tim Rains, security response communications lead for Microsoft, said, "Safari is not installed with Windows XP or Windows Vista by default: It must be installed independently or through the Apple Software Update application."

Apple received considerable criticism in March when it opted to make its Safari Web browser available to Windows users by default, as part of an iTunes update. Mozilla CEO John Lilly said Apple's decision to do so "borders on malware distribution practices."

Microsoft has issued a Security Advisory that explains the issue and offers risk-mitigation advice. The company said that customers who have changed the default Safari download location are not at risk.

The issue arises from what security researcher Nitesh Dhanjani calls the Safari Carpet Bomb vulnerability. "It is possible for a rogue Web site to litter the user's Desktop (Windows) or Downloads directory (~/Downloads/ in Mac OS X)," he explained in a blog post.

"This can happen because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource. Safari downloads the resource without the user's consent and places it in a default location (unless changed). ... The implication of this is obvious: Malware downloaded to the user's desktop without the user's consent."

Dhanjani said he has brought three security vulnerabilities to Apple's attention and that Apple said it plans to fix one of the issues reported, an undisclosed Safari vulnerability that could allow a remote attacker to steal files from the user's system.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights