Microsoft urges Windows users to shut down Safari

Computerworld - In an unusual move, Microsoft Corp. on Friday warned Windows users to swear off Apple Inc.'s Safari Web browser until a patch is available that plugs holes that could let attackers compromise computers.

One security researcher noted that Microsoft's public warning — and Apple's silence on the subject — are typical for the two rivals and illustrate their different approaches to security.

Friday, the Microsoft Security Response Center (MSRC) issued a security advisory for what it called a "blended threat" caused by combination of a bug in Apple's Safari Web browser and a vulnerability in how Windows XP and Windows Vista handle executable files placed on the desktop.

"Microsoft is investigating new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple's Safari for Windows has been installed," said the advisory.

The Safari bug Microsoft referred to is the same one disclosed two weeks ago by researcher Nitesh Dhanjani, which Apple declined to treat as a security issue, said Andrew Storms, director of security operations at nCircle Network Security Inc. "Clearly, that's what they're talking about," said Storms.

In mid-May, Dhanjani posted information about what he dubbed a "carpet bomb" attack made possible because Safari lacks an option to require a user's permission to download a file. Attackers, Dhanjani claimed, could populate a malicious site with rogue code that Safari would automatically download to the desktop.

Apple told Dhanjani that it did not consider the problem a security issue, but might fix it in a future Safari update. The next week, the anti-malware group Stopbadware.org criticized Apple for that position. "We encourage Apple to reconsider its stance and treat this as the security issue that it is," said the group in a statement May 19.

Then on Friday, Microsoft also fingered Safari as a problem. "Restrict use of Safari as a Web browser until an appropriate update is available from Microsoft and/or Apple," the company told users in the advisory.

But Microsoft also acknowledged that a successful attack would require not only leveraging the Safari bug, but also exploiting a vulnerability in its own software. "A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user's machine without prompting, allowing them to be executed," said Microsoft.

In the advisory, Microsoft called out Windows XP — including SP3, the newest service pack — and Windows Vista as vulnerable, as well as Internet Explorer 6 and IE 7.