Microsoft warns over Safari "carpet bomb" attack

Share this article:
Updated on Monday, June 2 at 3:04 p.m. EST

Microsoft is warning Windows XP and Vista users who have installed Safari on their machines that a blended attack could result in malicious code being installed.

As a result, the Redmond, Wash.-based software giant is advising customers to discontinue using Safari for Windows until either Microsoft or Apple -- or both -- issue a fix.

"[The] security advisory does not refer to a vulnerability in either Safari or Windows," Tim Rains, security response manager for Microsoft, told SCMagazineUS.com in an email. "Rather, it describes a blended threat in which files may be downloaded to a user's machine without prompting, allowing them to be executed."

Rains said the threat is caused by two problems: the fact that Safari does not require user permission prior to a download, and the way in which the Windows desktop handles executables.

The former issue was reported earlier this month by Ernst & Young security researcher Nitesh Dhanjani.

"The Safari browser cannot be configured to obtain the user's permission before it downloads a resource," he wrote on his blog on May 15. "Safari downloads the resource without the user's consent and places it in a default location (unless changed)."

When Dhanjani reported this bug -- which he described as a "carpet bomb" -- to Apple, researchers there said they did not consider it to be a security threat, but said they would consider adding a feature that prompts users to approve any downloads before they occur.

He said attackers, in theory, could lure unsuspecting users to a maliciously coded site that will automatically download malware to the desktop. Then, this malcode can be executed on the desktop, without any user interaction.

Microsoft, apparently, deemed the threat much more severe than Apple and decided to issue the advisory late Friday.

Maxim Weinstein, manager of StopBadware.org at the Berkman Center for Internet and Society at Harvard University, told SCMagazineUS.com Monday that Apple should have all along considered this a serious threat that needs a patch.

"Even before the Microsoft vulnerability piggybacked on the Apple one, to me, if a website can deposit files on someone's computer without them knowing it, that's a security risk," he said. "It provides a really easy avenue to get a user to launch a malicious application. They're miscategorizing something that's important."

As a workaround for those who wish to continue using Safari for Windows, the company recommends changing the download location in Safari to a location other than Desktop.

But security researcher Aviv Raff said Saturday in his blog that he does not think this workaround is enough.

"The Safari 'Carpet Bomb' vulnerability can be used in combination with other vulnerabilities in other products, so even if [Microsoft] fixes their vulnerability, Safari users will still be vulnerable," Raff wrote. "The current best solution is to stop using Safari until Apple fixes their vulnerability."

An Apple spokeswoman did not immediately respond to a request for comment.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Adobe exploit used to spread Dyre credential stealer

Adobe exploit used to spread Dyre credential stealer

Users running vulnerable Adobe software could be in danger of having credentials for Bitcoin websites stolen.

Staples is investigating a potential issue involving credit card data

Staples is investigating a potential issue involving credit ...

The company said it is investigating a potential issue involving credit card data and that customers are not responsible for fraudulent activity on cards if an issue is discovered.

Skills set a priority over legacy prejudices, experts say

Skills set a priority over legacy prejudices, experts ...

Cybersecurity expert Winn Schwartau and Robert Clark, a cyber law attorney at the Army Cyber Institute, discussed issues around hiring in the information security industry.