Microsoft issues Safari-to-IE blended threat warning

Summary:Microsoft has issued a formal security advisory with a confirmation of public warnings that the Safari "carpet bombing" vulnerability presents a remote code execution threat on all supported editions of Windows XP and Windows Vista.The pre-patch advisory from Redmond follows public pressure from the Google-backed StopBadware.

Microsoft issues Safari-to-Windows blended threat warning
Microsoft has issued a formal security advisory with a confirmation of public warnings that the Safari "carpet bombing" vulnerability presents a remote code execution threat on all supported editions of Windows XP and Windows Vista.

The pre-patch advisory from Redmond follows public pressure from the Google-backed StopBadware.org for Apple to rethink its stance that the Safari issue should be considered a serious security vulnerability.

From the Microsoft advisory:

A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user’s machine without prompting, allowing them to be executed.

...An attacker could trick users into visiting a specially crafted Web site that could download content to a user’s machine and execute the content locally using the same permissions as the logged-on user.

 [ SEE: Why Apple must fix Safari 'carpet bombing' flaw immediately ]

According to the advisory, the Windows portion of the blended threat is linked to Internet Explorer (IE 6 and IE 7 on Windows XP and Windows Vista, all service packs included).    Technical details on the combo-threat are being kept under wraps but it is clear that Microsoft has

actual proof of an IE vulnerability can be used in tandem with Nitesh Dhanjani's Safari bug to launch a malicious executable if a user surfs to a rigged site with Safari.

Officials in the MSRC (Microsoft Security Response Center) held discussions with Apple before releasing the advisory.

[ SEE: Apple under pressure to fix Safari ‘carpet bomb’ flaw ]

As a temporary mitigation, Microsoft recommends that Windows uses restrict the use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.

Alternatively, if you must use Safari, you should change the download location of content in Safari to a location other than 'Desktop'.   This can be done by launching Safari and using the Edit > Preferences and selecting a different location on the local drive for  Save Downloaded Files to: option.

My previous advice stands.  Uninstall Safari and use an alternative browser on Windows.

Topics: Software, Apple, Browser, Microsoft, Operating Systems, Security, Windows

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.