Microsoft urges Windows users to shut down Safari
'Carpet bomb' Safari bug can be combined with unpatched IE vulnerability
May 31, 2008 12:00 PM ETComputerworld - In an unusual move, Microsoft Corp. on Friday warned Windows users to swear off Apple Inc.'s Safari Web browser until a patch is available that plugs holes that could let attackers compromise computers.
One security researcher noted that Microsoft's public warning — and Apple's silence on the subject — are typical for the two rivals and illustrate their different approaches to security.
Friday, the Microsoft Security Response Center (MSRC) issued a security advisory for what it called a "blended threat" caused by combination of a bug in Apple's Safari Web browser and a vulnerability in how Windows XP and Windows Vista handle executable files placed on the desktop.
"Microsoft is investigating new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple's Safari for Windows has been installed," said the advisory.
The Safari bug Microsoft referred to is the same one disclosed two weeks ago by researcher Nitesh Dhanjani, which Apple declined to treat as a security issue, said Andrew Storms, director of security operations at nCircle Network Security Inc. "Clearly, that's what they're talking about," said Storms.
In mid-May, Dhanjani posted information about what he dubbed a "carpet bomb" attack made possible because Safari lacks an option to require a user's permission to download a file. Attackers, Dhanjani claimed, could populate a malicious site with rogue code that Safari would automatically download to the desktop.
Apple told Dhanjani that it did not consider the problem a security issue, but might fix it in a future Safari update. The next week, the anti-malware group Stopbadware.org criticized Apple for that position. "We encourage Apple to reconsider its stance and treat this as the security issue that it is," said the group in a statement May 19.
Then on Friday, Microsoft also fingered Safari as a problem. "Restrict use of Safari as a Web browser until an appropriate update is available from Microsoft and/or Apple," the company told users in the advisory.
But Microsoft also acknowledged that a successful attack would require not only leveraging the Safari bug, but also exploiting a vulnerability in its own software. "A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user's machine without prompting, allowing them to be executed," said Microsoft.
In the advisory, Microsoft called out Windows XP — including SP3, the newest service pack — and Windows Vista as vulnerable, as well as Internet Explorer 6 and IE 7.
Microsoft
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Death to PST Files
Download Now
The Tangled Web: Silent Threats & Invisible Enemies
Download Now
Tape Killed the IT Guy
Watch Now
Forrester Consulting Mobility Study: Taking Control of Enterprise Mobile Device Diversity
Download Now
BRM: What You Can Do To Reduce Risk In Challenging Times
Watch this webcast now!
What IT Must Do to Support Employee-Owned BlackBerry, iPhone and Android Mobile Devices
Download Now
Web 2.0, Social Media and the Dark Web - A Web Criminals Paradise?
In this discussion, learn about the challenges of protecting your users from the potentially unsafe content hidden in the "Dark Web".
eGuide: Enterprise Security
Smart Security Strategies for 2010. Read now!
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...

