Network Security, Patch/Configuration Management, Vulnerability Management

Microsoft warns over Safari “carpet bomb” attack

Updated on Monday, June 2 at 3:04 p.m. EST

Microsoft is warning Windows XP and Vista users who have installed Safari on their machines that a blended attack could result in malicious code being installed.

As a result, the Redmond, Wash.-based software giant is advising customers to discontinue using Safari for Windows until either Microsoft or Apple -- or both -- issue a fix.

"[The] security advisory does not refer to a vulnerability in either Safari or Windows," Tim Rains, security response manager for Microsoft, told in an email. "Rather, it describes a blended threat in which files may be downloaded to a user's machine without prompting, allowing them to be executed."

Rains said the threat is caused by two problems: the fact that Safari does not require user permission prior to a download, and the way in which the Windows desktop handles executables.

The former issue was reported earlier this month by Ernst & Young security researcher Nitesh Dhanjani.

"The Safari browser cannot be configured to obtain the user's permission before it downloads a resource," he wrote on his blog on May 15. "Safari downloads the resource without the user's consent and places it in a default location (unless changed)."

When Dhanjani reported this bug -- which he described as a "carpet bomb" -- to Apple, researchers there said they did not consider it to be a security threat, but said they would consider adding a feature that prompts users to approve any downloads before they occur.

He said attackers, in theory, could lure unsuspecting users to a maliciously coded site that will automatically download malware to the desktop. Then, this malcode can be executed on the desktop, without any user interaction.

Microsoft, apparently, deemed the threat much more severe than Apple and decided to issue the advisory late Friday.

Maxim Weinstein, manager of at the Berkman Center for Internet and Society at Harvard University, told Monday that Apple should have all along considered this a serious threat that needs a patch.

"Even before the Microsoft vulnerability piggybacked on the Apple one, to me, if a website can deposit files on someone's computer without them knowing it, that's a security risk," he said. "It provides a really easy avenue to get a user to launch a malicious application. They're miscategorizing something that's important."

As a workaround for those who wish to continue using Safari for Windows, the company recommends changing the download location in Safari to a location other than Desktop.

But security researcher Aviv Raff said Saturday in his blog that he does not think this workaround is enough.

"The Safari 'Carpet Bomb' vulnerability can be used in combination with other vulnerabilities in other products, so even if [Microsoft] fixes their vulnerability, Safari users will still be vulnerable," Raff wrote. "The current best solution is to stop using Safari until Apple fixes their vulnerability."

An Apple spokeswoman did not immediately respond to a request for comment.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.