Microsoft warns over Safari "carpet bomb" attack

Share this article:
Updated on Monday, June 2 at 3:04 p.m. EST

Microsoft is warning Windows XP and Vista users who have installed Safari on their machines that a blended attack could result in malicious code being installed.

As a result, the Redmond, Wash.-based software giant is advising customers to discontinue using Safari for Windows until either Microsoft or Apple -- or both -- issue a fix.

"[The] security advisory does not refer to a vulnerability in either Safari or Windows," Tim Rains, security response manager for Microsoft, told SCMagazineUS.com in an email. "Rather, it describes a blended threat in which files may be downloaded to a user's machine without prompting, allowing them to be executed."

Rains said the threat is caused by two problems: the fact that Safari does not require user permission prior to a download, and the way in which the Windows desktop handles executables.

The former issue was reported earlier this month by Ernst & Young security researcher Nitesh Dhanjani.

"The Safari browser cannot be configured to obtain the user's permission before it downloads a resource," he wrote on his blog on May 15. "Safari downloads the resource without the user's consent and places it in a default location (unless changed)."

When Dhanjani reported this bug -- which he described as a "carpet bomb" -- to Apple, researchers there said they did not consider it to be a security threat, but said they would consider adding a feature that prompts users to approve any downloads before they occur.

He said attackers, in theory, could lure unsuspecting users to a maliciously coded site that will automatically download malware to the desktop. Then, this malcode can be executed on the desktop, without any user interaction.

Microsoft, apparently, deemed the threat much more severe than Apple and decided to issue the advisory late Friday.

Maxim Weinstein, manager of StopBadware.org at the Berkman Center for Internet and Society at Harvard University, told SCMagazineUS.com Monday that Apple should have all along considered this a serious threat that needs a patch.

"Even before the Microsoft vulnerability piggybacked on the Apple one, to me, if a website can deposit files on someone's computer without them knowing it, that's a security risk," he said. "It provides a really easy avenue to get a user to launch a malicious application. They're miscategorizing something that's important."

As a workaround for those who wish to continue using Safari for Windows, the company recommends changing the download location in Safari to a location other than Desktop.

But security researcher Aviv Raff said Saturday in his blog that he does not think this workaround is enough.

"The Safari 'Carpet Bomb' vulnerability can be used in combination with other vulnerabilities in other products, so even if [Microsoft] fixes their vulnerability, Safari users will still be vulnerable," Raff wrote. "The current best solution is to stop using Safari until Apple fixes their vulnerability."

An Apple spokeswoman did not immediately respond to a request for comment.

Share this article:

Sign up to our newsletters

More in News

Five schools earn NSA's excellence in cyber ops distinction

The schools earned NSA's Centers for Academic Excellence designation for their cyber offerings.

With RATs at their disposal, 419 scammers target businesses

With RATs at their disposal, 419 scammers target ...

A new report reveals how Nigeria's 419 scammers are spreading malware to pocket business funds.

InfoSec pros worried BYOD ushers in security exploits, survey says

InfoSec pros worried BYOD ushers in security exploits, ...

A study by the Information Security Community on LinkedIn found most organizations don't have proper polices and support for BYOD.