Microsoft issues Safari-to-IE blended threat warning

Microsoft issues Safari-to-IE blended threat warning

Summary: Microsoft has issued a formal security advisory with a confirmation of public warnings that the Safari "carpet bombing" vulnerability presents a remote code execution threat on all supported editions of Windows XP and Windows Vista.The pre-patch advisory from Redmond follows public pressure from the Google-backed StopBadware.


Microsoft issues Safari-to-Windows blended threat warningMicrosoft has issued a formal security advisory with a confirmation of public warnings that the Safari "carpet bombing" vulnerability presents a remote code execution threat on all supported editions of Windows XP and Windows Vista.

The pre-patch advisory from Redmond follows public pressure from the Google-backed for Apple to rethink its stance that the Safari issue should be considered a serious security vulnerability.

From the Microsoft advisory:

A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user’s machine without prompting, allowing them to be executed.

...An attacker could trick users into visiting a specially crafted Web site that could download content to a user’s machine and execute the content locally using the same permissions as the logged-on user.

 [ SEE: Why Apple must fix Safari 'carpet bombing' flaw immediately ]

According to the advisory, the Windows portion of the blended threat is linked to Internet Explorer (IE 6 and IE 7 on Windows XP and Windows Vista, all service packs included).    Technical details on the combo-threat are being kept under wraps but it is clear that Microsoft has

actual proof of an IE vulnerability can be used in tandem with Nitesh Dhanjani's Safari bug to launch a malicious executable if a user surfs to a rigged site with Safari.

Officials in the MSRC (Microsoft Security Response Center) held discussions with Apple before releasing the advisory.

[ SEE: Apple under pressure to fix Safari ‘carpet bomb’ flaw ]

As a temporary mitigation, Microsoft recommends that Windows uses restrict the use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.

Alternatively, if you must use Safari, you should change the download location of content in Safari to a location other than 'Desktop'.   This can be done by launching Safari and using the Edit > Preferences and selecting a different location on the local drive for  Save Downloaded Files to: option.

My previous advice stands.  Uninstall Safari and use an alternative browser on Windows.

Topics: Software, Apple, Browser, Microsoft, Operating Systems, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I don't get it

    Who in their right mind sets downloaded files as executable?

    666 may have theological problems but it's a great file permission setting for downloads.
    Yagotta B. Kidding
    • Windows: .exe = executable

      Windows, silly; everything with .exe is executable. I think XP and Vista typically try to pop up warnings if you try to execute downloaded stuff (so long as Safari sets the flag that the thing was downloaded).
      • Confirmation...

        It requests permission to execute code. It does this with any application that asks to interface with another application, or cause another application to launch automatically by opening a file.
  • RE: Microsoft issues Safari-to-IE blended threat warning

    Firefox > all. God bless Firefox 3 - what a great gift!
    • M$ issues Safari warning

      Quote: [i]Firefox > all. God bless Firefox 3 - what a great gift![/i]

      [b]Amen brother!!!!![/b]
  • Same Situation, Different Day

    Don't trouble yourself Yagotta.

    Putting your browser in a sandbox is the only way to go and guarantees 'true' worry-free browsing.

    I was censored yesterday in this blog for trying to get that point across to the readership.

    The big 'secret' is that Novell's openSUSE includes AppArmor with profiles for Firefox. This effectively stops privilege escalation dead in its tracks.

    No need for Anti-malware, Anti-bot, Anti-virus software or any such truck.

    Free yourself. Get off of the Windows security treadmill. Switch to openSUSE and [u]Be Safe[/u].

    Dietrich T. Schmitz
    [i]Linux IT Consultant[/i]
    D T Schmitz
    • Doesn't that just open a whole other

      can of worms? Linux has it's issues too. Isn't that just changing one set of problems for another?
      • Great questions

        AppArmor simply rules out anything 'bad' (or what wasn't permissioned) from happening for 'any' application, regardless of 'why'.

        Bugs are inevitable on any platform and the n'er do wells will continue with their nefarious ways.

        It doesn't matter, the sandbox is there. You can either let AppArmor 'learn' what's ok or administratively specify in as much excruciating detail as you see fit what is or isn't ok.

        The Firefox profiles are present in openSUSE's local AppArmor repository and can be set up in just a few steps.

        No can of worms.

        Insanity: doing the same thing over and over again and expecting different results.

        Stop by my website to learn more. Be Safe.

        Dietrich T. Schmitz
        [i]Linux IT Consultant[/i]
        D T Schmitz
        • Ergh...

          I struggle to comment poorly on AppArmor, as I'm a big proponent, but I do caution you Dietrich, the same mantra of believing in one product to secure is what has led multiple vendors down the wrong path.

          Let's be honest about things, there's not been a ton of research into bypassing AppArmor. I'm not saying it is possible, but DEP and ASLR were certainly touted as great security enhancement (which they are), but have since been bypassed. If the focuse switches to Linux, we may have similar problems.

          One would hope not, as Linux has a very strong track record (as does AppArmor, SELinux, PaX, W^X, etc.), but I just stress caution. Let's keep in mind, of all the OS's out there, Windows probably takes the most abuse from the researchers.

    • ZZZZZZZZZZ...nt

    • damn right

      OpenSuse is a kick ass operating system for linux. I'm using 10.3 and not complaining, all my multimedia needs at a 1 click instance.
  • Oh the irony...

    Microsoft saying don't run Safari because of a problem. Where were they saying "Don't run Window, IE or ActiveX or whatever else" back in the day when they as secure as is a net at holding water.
    • Really, really ironic..

      When MS say something against an Apple product, its bad but when Apple bashes MS on their ads its perfectly ok?

      Oh the irony...
      • Don't try and say advertising is the same as an advisory (nt)

        • Yep, they're different.

          Bashing on advertisement is a desperate attempt to win some market share while an advisory is, well, just an advisory.

          Point is, I don't see anything wrong with the advisory. I think it's MS responsibility to notify their users. It just happened that it concerns Apple's product. They SHOULD do it on ANY situation concerning ANY company.
          • Yet they don't advise people...

            To not use one of their own products when it's got major issues.
          • Label away...

            Maybe tomorrow I'll be called some other type of "fanbois."

            So, I guess you have no problem with the English education system's IT division specifying that Office 2k7 (and OXML too I think) should not be used is a perfectly acceptable thing to do.
          • The difference between advertising and advisories

            Since you are having difficulty distinguishing between the two the difference is that TV advertising has no chance of infecting your computer with a virus or worm. This tends to make advisories slightly more important to computer security than TV advertising.
            Hemlock Stones
          • The advisory is a bit specious, but...

            Microsoft HAS in the past issued advisories recommending that a product with security issues not be used. They never said "Just don't use IE", it's true, but they have recommended turning off features which could cause problems.

            In this case, since the Safari browser does not provide an option to disable the "feature" in question, that's not gonna be possible.

            The fact is, drive-by downloads are bad. Period. They're bad when Safari does it, and they're bad when IE does it.
          • Nice word...

            I think I will try to use specious more often :P

            I kind of agree with you, but remember that
            a) It's a blended threat
            b) Microsoft's advisory states...

            [i]At the present time, Microsoft is unaware of any attacks attempting to exploit this blended threat. Upon completion of this investigation, Microsoft will take the appropriate measures to protect our customers. This may include providing a solution through a service pack, the monthly update process, or an out-of-cycle security update, depending on customers needs.

            Mitigating Factors:
            ? Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.[/i]

            So, as there is apparently a (Microsoft sanctioned) way around the problem (that I presume they've tested) I have to conclude that this isn't as big a news item as it is pimped.