Microsoft warns of Safari for Windows blended attacks

Microsoft has issued an advisory warning Windows users who have installed the Apple Safari for Windows browser that their systems may be vulnerable to attack.

The Safari "carpet bombing" attack was first described by Nitesh Dhanjani last month, but dismissed by Apple as a serious threat. Under Dhanjani's scenario, a user would surf using Apple Safari for Windows to a maliciously crafted Web site such as http://malicious.example.com/. Dhanjani says Safari does not know how to render content-type of blah/blah, so it starts downloading carpet_bomb.cgi, executing the downloaded files with the same rights as the logged-on user. The end result is the victim's desktop is populated with a variety of malicious files.

(Credit: Nitesh Dhanjani)

Microsoft says it is the combination of the default download file location in Safari and how the Windows desktop handles the files that creates the blended threat on all supported versions of Windows XP and Windows Vista when Apple's Safari for Windows has been installed

Microsoft notes that users who change the default Safari download location are not affected. To change the download location in Safari, under Edit select Preferences. Where it says "Save Downloaded Files to" change the location.

Microsoft may follow the advisory with a security update if needed.

[amandachuck]

executing the downloaded files is the key. this shouldn't be allowed.

on the Mac, if Safari downloads a file that is executable, it has a tag attached warning you if you want to launch it, no matter what your privileges are.

[anonymous x]

Have you ever heard of UAC in windows vista?
It popups whenever someone wants to install itself.
but apparently, most people hate that feature.
do you get the point why people turn this feature off?
cause it drives people nuts (i leave it on though, it doesn't bother me)
so that's why unwanted software downloaded from safari runs on windows without user intervention- cause if the user intervents, they complain its annoying.

People are going to bash microsoft no matter what, on any feature.
if windows allows software to run without the user knowing, the users complain about security.
if the user has the agree every single time something is installed, they complain about that also.

[open-mind]

Seems odd to me that the Windows desktop folder should behave different from any other. Also seems odd that Apple hasn't addressed what seems like a simple issue. That being said...

Microsoft pointing out another browsers insecurities is kind of like Charles Manson pointing out another person's crazy behavior. ;-)

[Imalittleteapot]

Uhhh. It takes one to know one?

[amandachuck]

but the point is, MS is not fixing the flaw from their end. This is a joint problem, not an Apple only problem. Windows shouldn't allow for files to execute on their own after download. MS doesn't actually fix this flaw, but instead says to switch the folder. MS makes the OS here, the OS is the gate keeper. It is the police department. It should not allow third party apps to break it's security.

[Lerianis]

How are they supposed to prevent that? Answer: They cannot. The real issue here is that Apple made a piece of software with a HUGE security hole that someone could exploit.
Many other people had this SAME PROBLEM, and fixed it YEARS ago. Heck, Firefox pops up a warning asking you if you are ABSOLUTELY SURE you want to execute a file in question or open a file in question, unless you directly click on it in the Download window.

[shywolf9982]

No, it's not an OS flaw. The OS MUST allow files to be executed no matter their location. Also because it is very complex for the OS to determine if the file has just been downloaded or not.
This kind of issue pertains more to Safari, which should NOT execute files with a non recognized mimetype but instead prompt the user for their (optional) download.
Like, you know, any other browser.

[msjonker]

I don't think they execute on their own. I think its the fact that it places the file right on your desktop. Someone could create a malicious executable with an icon that looks like something familiar, like a shortcut to Microsoft Word or something. Then when you double-click on it, you are actually the one executing it.

[Stariun]

Safari for Windows does not tag the files as downloaded from the internet which is quit problematic but I wouldn't recommend Safari for any one if Firefox is available.
Just don't use Safari cos Firefox is way better than it if you're not going to use IE

[_IT_GUY]

An OS should not need to change every time a program causes a problem. If this was a generic freeware app from some no name person, the biggest thing that would happen is that MS might get word of the potential problem and may or may not put a fix out for it. Apple would react the same way.
If Firefox caused an issue like this, they would probably end up releasing an update to work around any limitations that the OS may have. ONLY because it?s Apple is this an issue. An application developer should know what they are writing their application for. Apple...Just because other software developers can write programs for your OS, doesn't mean you can handle writing for others. Please stick to your proprietary stuff and leave the browser wars to the likes of Mozilla (Firefox) and Microsoft (IE).

[Riquez-001]

proprietary stuff?
You say that as if IE & Windows isn't, when in fact they are the worlds prime example of proprietary software.

[thedreaming]

Actually, Microsoft would rather you uninstall the safari browser altogether. That's why they are making such a big deal about an exploit that can be fixed simply by changing the default download directory.

[Tsee-1968031069905097881578618]

Perhaps Apple defenders should remember that 1) Simply clicking on an infected file can in some cases execute malicious code, so this is a huge hole because if such a trojan/worm/virus is downloaded by the attack, a user could compromise the system by trying to delete it; and 2) Safari is pushed to QuickTime users as part of a "security" update. (I read Apple changed the update program but I still received an offer for Safari a few days ago during an update of QT.)

[Someone-else]

i don't think Microsoft should say that other browsers are badly done until making IE a decent browser

[Seaspray0]

Note to "Someone-else": Microsoft should say this browser is badly done if it leaves a big security hole like safari just did. Software, I might add, that was not requested by the user but loaded anyway from a QT update. If you are using your standard of "decent browser" based on safari, then your standards just went down the toilet.

[Spartan_458]

Why would Microsoft release a security update for an Apple product?

[crisplusplus]

because somebody need to take care of users, if apple doesn't want to. Since apple is always blame windows for everything, for ignorant users, apple can just turn around and claim its all microsoft's fault.

[wadah1111]

You know what I'm sticking with firefox forever! why ? Cause these guys know what are they doing(who created it). IE is nothing, safari is fast but, still doesn't fulfill my desires. Every company should just try do what they know how to do so they give better performance in windows or better photo editing in mac or whatever just keep off the competing in everything criteria!

[andrewFCIM]

Safari's choice to automatically download a file with an unknown content type is silly but Windows willingness to execute random executables without user intervention is down right CRAZY!

[Thomas, David]

Well, I'm a HUGE Apple fan, but this problem is Apples. The version of Safari should account for the fact it is running on top of a Microsoft Windows operating system. If the user can easily disable the threat, with the simple click of an option, then it should be no problem for Apple to provide fix, that makes the Windows user experience as less threatening as a Mac users experience.


Apple can, and should, provide this simple fix.

[Riquez-001]

I too think Apple should avoid software for Windows. It can only go badly. However, they do have a dilemma. Firstly they have to provide Windows versions of things like iTunes.
Secondly, they want to provide at least one piece of software for Windows that is not device specific, so Win users can try Apple software - a browser makes sense.
I don't think Apple want to enter the Windows software scene at all, they want to convert Windows users to OS X users.

[crisplusplus]

apple has the option to build a windows native product and follow the windows developing guideline, it didn't. Thats a wrong decision from start, can't blame others.

[solitare_pax]

I'm a Mac user, and I tend to prefer Firefox myself.

Apple ought to fix this problem, that's for sure, otherwise no one will want their stuff. And bravo to Microsoft for pointing out a competitor's problem - now can they please go and get their own house in order instead of buying up another company?

[JLDSeattle]

My opinion it is both products fault. The web product should not allow users to download files without them clicking to accept the download. And it is windows fault for not warning the user that this is a downloaded file from the internet do you want to open. When I download something on my Mac when I try to open it a dialog box comes up warning me that this file was downloaded from the internet. If Safari isn't tagging the file as downloaded from the internet (which it should or it should follow standard pratices for any web browser) then MS shouldn't allow the file to execute unless the user explicitly requests the file to execute. And if it is installing files then it should require a username and password.

[anonymous x]

Have you ever heard of UAC in windows vista?
It popups whenever someone wants to install itself.
but apparently, most people hate that feature.
do you get the point why people turn this feature off?
cause it drives people nuts (i leave it on though, it doesn't bother me)
so that's why unwanted software downloaded from safari runs on windows without user intervention- cause if the user intervents, they complain its annoying.

People are going to bash microsoft no matter what, on any feature.
if windows allows software to run without the user knowing, the users complain about security.
if the user has the agree every single time something is installed, they complain about that also.

[open-mind]

It's in Apple's best interests to fix this security issue. It would be easy to do, plus the long-term success of Safari (as well as Firefox) will help eliminate Microsoft's IE browser monopoly. Then Microsoft will be required to follow web standards (instead of inventing their own), leveling the playing browser field. It's a no-brainer for Apple ... fix this issue ASAP.