Apple addresses "carpet bomb" Safari for Windows threat

Share this article:
Apple on Thursday delivered a fix for the "carpet bomb" vulnerability in Safari for Windows, a bug that the computing giant initially maintained was not a security issue.

The vulnerability, reported last month by Ernst & Young security researcher Nitesh Dhanjani, was related to the fact that the web browser did not require user permission prior to a download. When he contacted Apple to report the issue, the company told him it did not intend to patch the glitch because it did not deem the bug a security concern.

Apple changed its mind when it issued Thursday's security update for Safari 3.1.2 for Windows.

"Saving an untrusted file to the Windows desktop may trigger the issue, and lead to the execution of arbitrary code," Apple said in its security update. "Web browsers are a means by which files may be saved to the desktop. To help mitigate this issue, the Safari browser has been updated to prompt the user prior to saving a download file."

What made the issue so serious was that the vulnerability could be exploited in concert with a bug in Internet Explorer, which concerns the way in which the Windows desktop handles executables, Joel Esler, volunteer for the SANS Internet Storm Center and a Mac expert, told on Friday.

Esler said a blended attack could occur if a victim visited a malicious website through the Safari for Windows browser. Users, in theory, could download a malicious DLL (dynamically linked library) to the desktop, without their permission, and then Internet Explorer would automatically execute the DLL.

"The two vulnerabilities together made one massive problem," he said.

Proof-of-concept exploit code had been published.

Microsoft, in a security advisory issued May 30, suggested users stop using Safari for Windows until Apple issued a fix.

"You can't just have Microsoft coming out and saying your browser is insecure," he said. "They've got to react. They've got to do something."

Thursday's security update from Apple includes fixes for three other, less critical vulnerabilities in Safari for Windows.

An Apple spokeswoman did not respond to a request for comment.
Share this article:

Sign up to our newsletters

More in News

In Cisco probe, misuse or compromise spotted on all firms' networks

In Cisco probe, misuse or compromise spotted on ...

Cisco analyzed the business networks of 30 multinational companies last year, and revealed the findings in its 2014 Annual Security Report.

Fareit trojan observed spreading Necurs, Zbot and CryptoLocker

The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit.

Post Heartbleed, tech giants join initiative to bolster open source

Post Heartbleed, tech giants join initiative to bolster ...

The newly formed Core Infrastructure Initiative, created to boost under-funded open source projects, will tackle OpenSSL first.