Microsoft Warns Against Using Safari for Windows

Techtree News Staff, Jun 02, 2008 1940 hrs IST

The flaw was reported on May 15 by security researcher Nitesh Dhanjani, who termed the attack as "carpet bombing".

Microsoft has warned Windows users of the dangerous Apple's Safari for Windows flaw reported on May 15 by security researcher Nitesh Dhanjani. As per Dhanjani, the attack termed as "carpet bombing" exposes a security hole that allows downloading of potentially malicious executables on the victim's desktop. These malicious executables run automatically as normal Windows executables.
Thus, it's obvious that Safari can be used to victimize if it runs on Windows-based systems.

Dhanjani wrote on his blog, "Apple does not feel this is an issue they want to tackle at this time." While Apple takes it as "enhancement request", according to Aviv Raff, a security researcher, exploitation of the "carpet bombing" flaw with an IE bug could enable unauthorized access to attackers for running malicious software on the victim's computer.

Raff had reported the bug more than a year ago. The attack executes when a maliciously crafted Web site is visited by a victim on a Safari browser that triggers the "carpet bombing" attack and exploits the IE flaw. Even if the download location in Safari is changed, the Safari/IE flaw would still remain exploitable, according to Raff. Though both vulnerabilities are moderately on individual grounds, together they can create a critical flaw.

Having warned Windows users of the flaw, Microsoft has also addressed the issue. In their security advisory, they recommend that Windows users restrict usage of the Safari browser until such a time the update patch is made available. And that users change the download location to other than the desktop if at all they wish to continue to use Safari. All versions of Windows XP and Vista are affected by this flaw.

USER COMMENTS

thank u for ur advice...... i has been using safari for past 3 weeks.....

by raj, chennai, on Jun 08, 2008 02:19 PM, Report abuse Reply

A work around (thogh interim only) to this vulnerability is available. Configure your Safari browser to store downloads to any folder other than desktop. On your Safari toolbar, go to Edit. Select preferences and change default location (of storing downloads) from Desktop to a folder of your choice.

by yogeshb329, New Delhi, on Jun 03, 2008 02:36 PM, Report abuse Reply

I think the biggest issue in any internet security issue is almost always the user being stupid enough to click on a potentially dangerous site for the sake of a) money, b) tits, or c) someone they know sending them a link via email. The best security measure is usually just to be aware of what the heck you're doing before you just zip around on the internet onto random sites.

by Anonymous, Anon, on Jun 03, 2008 09:31 AM, Report abuse Reply

Funny thing is I don't hear about any Mac OS X maschines being compromised when using Safari? MAybe it's yet another gaping hole in Windoze Vista security that is the real issue. Nothing like drawing attention away from your own joke of an operating system! My OS X Safari system has never been compromised, ever! Can any Windoze user mak ethat claim, NOT!

by Sammyjs, Indpls., on Jun 03, 2008 12:44 AM, Report abuse Reply

Maybe because Windows is less security flawed than OSX? I hate Windows, but Vista is far more secure than Mac and it's joke of an OS. A good Linux/Unix box wins every time in that ring.

by Gzus, Laser Town, on Jun 02, 2008 11:42 PM, Report abuse Reply

How about a warning not to use Windows in general because of all the flaws!

by Bob, Green Harbor, MA., on Jun 02, 2008 11:20 PM, Report abuse Reply