A security researcher has published proof-of-concept code for the blended Internet Explorer (IE)-Safari for Windows threat.
Researcher Liu Die Yu, who has in the past discovered a number of IE bugs, published the code Sunday on his blog.
He wrote that the threat — described as a “carpet bomb” by researcher Nitesh Dhanjani, who first discovered the issue — is caused by a design flaw in IE, which could permit automatic remote code execution when a user downloads a file on Safari for Windows.
“A design flaw in Windows Internet Explorer, version 8 beta 7, and probably others, breaks the security of Safari for Windows shipped by Apple,” Liu Die Yu said. “Apple’s Safari for Windows downloads and saves requested file[s] to user’s desktop by default — this default behavior does not constitute a mistake.”
Meanwhile, Microsoft late Friday revised its security advisory to update its suggested workaround for the threat.
Researcher Aviv Raff had advised Microsoft that its initial workaround was not enough because the Safari hole could be used in combination with other product vulnerabilities, even if Microsoft fixed its flaw.
Microsoft agreed and revised the workaround. It now suggests users “change the download location of content in Safari to a newly created directory” — for instance, c:SafariDownload.