On his blog, Nitesh Dhanjani indicated that the Sarfari browser version 3.1 cannot be configured to obtain user permission before a download occurs.
“The implication of this is obvious: Malware downloaded to the user's desktop without the user's consent,” Dhanjani wrote.
This report follows recent news that Apple has tripled its market share for the Safari browser on Windows by targeting users through other popular Apple applications such as iTunes and QuickTime.
Although automatic downloads don't automatically run the programs, this is still a security risk, Rich Mogull of Securosis.com told SCMagazineUS.com on Monday.
“On a Windows system, downloads will default to the desktop, which could be used to trick the user into executing malicious software,” he said. “On Mac OS X Leopard, they will go into the ‘Downloads' folder, and a user might still be tricked into running the file if the attacker uses a clever name.”
Apple is failing to take into account that an attacker might try social engineering to trick the user with a file name and clever icon to get them to run the program, Mogull added.
He said this is “…clearly a security issue they should patch as quickly as possible.”
However, according to Dhanjani, his communications with Apple suggest that while the company believes allowing users to provide permission before downloading is a good idea, this problem isn't being treated as a security problem and there are no plans for a fix in the near future.
An Apple spokesperson did not respond to requests for comment.
Ray Wagner, managing vice president of Gartner, told SCMagazineUS.com that he believes Apple lacks the understanding of security implications from this problem.
“From a security perspective, any download of data or executable code to the client machine that occurs without the user's knowledge or approval would be considered a problem,” he said. “I would assume that this issue is something they would want to make it a priority to fix.”