Microsoft warns over Safari "carpet bomb" attack

Share this article:
Updated on Monday, June 2 at 3:04 p.m. EST

Microsoft is warning Windows XP and Vista users who have installed Safari on their machines that a blended attack could result in malicious code being installed.

As a result, the Redmond, Wash.-based software giant is advising customers to discontinue using Safari for Windows until either Microsoft or Apple -- or both -- issue a fix.

"[The] security advisory does not refer to a vulnerability in either Safari or Windows," Tim Rains, security response manager for Microsoft, told SCMagazineUS.com in an email. "Rather, it describes a blended threat in which files may be downloaded to a user's machine without prompting, allowing them to be executed."

Rains said the threat is caused by two problems: the fact that Safari does not require user permission prior to a download, and the way in which the Windows desktop handles executables.

The former issue was reported earlier this month by Ernst & Young security researcher Nitesh Dhanjani.

"The Safari browser cannot be configured to obtain the user's permission before it downloads a resource," he wrote on his blog on May 15. "Safari downloads the resource without the user's consent and places it in a default location (unless changed)."

When Dhanjani reported this bug -- which he described as a "carpet bomb" -- to Apple, researchers there said they did not consider it to be a security threat, but said they would consider adding a feature that prompts users to approve any downloads before they occur.

He said attackers, in theory, could lure unsuspecting users to a maliciously coded site that will automatically download malware to the desktop. Then, this malcode can be executed on the desktop, without any user interaction.

Microsoft, apparently, deemed the threat much more severe than Apple and decided to issue the advisory late Friday.

Maxim Weinstein, manager of StopBadware.org at the Berkman Center for Internet and Society at Harvard University, told SCMagazineUS.com Monday that Apple should have all along considered this a serious threat that needs a patch.

"Even before the Microsoft vulnerability piggybacked on the Apple one, to me, if a website can deposit files on someone's computer without them knowing it, that's a security risk," he said. "It provides a really easy avenue to get a user to launch a malicious application. They're miscategorizing something that's important."

As a workaround for those who wish to continue using Safari for Windows, the company recommends changing the download location in Safari to a location other than Desktop.

But security researcher Aviv Raff said Saturday in his blog that he does not think this workaround is enough.

"The Safari 'Carpet Bomb' vulnerability can be used in combination with other vulnerabilities in other products, so even if [Microsoft] fixes their vulnerability, Safari users will still be vulnerable," Raff wrote. "The current best solution is to stop using Safari until Apple fixes their vulnerability."

An Apple spokeswoman did not immediately respond to a request for comment.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Beazley: employee errors root of most data breaches, but malware incidents cost ...

Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014.

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple issues seven updates, fixes more than 40 ...

In one of its infrequent "Update Surprisedays," Apple plugged holes, boosted security and added features.

Canadian telecom co. Telus unveils first transparency report

The company received more than 100,000 government requests for customer data last year.