Security flaws in Apple’s Safari web browser are nothing new. Apple has been very good at keeping quiet about security issues regarding Safari, but its giant rival, Microsoft, has been taking a different and more vocal approach. Last Friday, Microsoft released Security Advisory (953818) that warns users of a “blended threat” caused by the combination of a security hole in Safari and the way Windows XP and Vista handles executables located on the desktop.
The Safari bug being referred to is called a “carpet bomb” attack, which was disclosed on May 15 by Nitesh Dhanjani. Essentially, the Safari hole would allow an attacker to automatically download malware to a user’s desktop by tricking the victim into visiting a website specifically crafted to exploit the vulnerability. When combined with the flaw in Windows, which has been linked to Internet Explorer by security researcher Aviv Raff, the malware could be executed without any sort of prompt or user permission on all XP and Vista machines with Safari installed. Therefore, in its security advisory Microsoft suggests that users “restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.” In the meantime, Microsoft recommends that Windows Safari users change the default downloaded files location in Safari to a location other than ‘Desktop.’
This revelation wouldn’t be such a big deal considering Safari’s measly web browser market share, but with Apple “forcing” the install of Safari through its automatic update on Windows, attackers may find this worth while to exploit as the Safari install base slowly increases. Although Microsoft states that it is “unaware of any attacks attempting to exploit this blended threat,” that could only be a matter of time.