Smokey's Security Weblog

veritas odium parit

Microsoft Security Advisory (953818): Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform

Published by Microsoft: May 30, 2008

Microsoft is investigating new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed. Safari is not installed with Windows XP or Windows Vista by default; it must be installed independently or through the Apple Software Update application. Customers running Safari on Windows should review this advisory.

At the present time, Microsoft is unaware of any attacks attempting to exploit this blended threat. Upon completion of this investigation, Microsoft will take the appropriate measures to protect our customers. This may include providing a solution through a service pack, the monthly update process, or an out-of-cycle security update, depending on customers needs.

Mitigating Factors:

• Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.

More: Microsoft TechNet

Apple, please fix your homework in a proper and decent way asap!

Added: May 31, 2008

For reason of the information provided in the original advisory provided by Nitesh Dhanjani on May 15, 2008 this blended thread have to be considered as being Highly Critical.

Excerpt original advisory:

1. Safari Carpet Bomb. It is possible for a rogue website to litter the user’s Desktop (Windows) or Downloads directory (~/Downloads/ in OSX). This can happen because the Safari browser cannot be configured to obtain the user’s permission before it downloads a resource. Safari downloads the resource without the user’s consent and places it in a default location (unless changed).

2. Sandbox not Applied to Local Resources. This issue is more of a feature set request than a vulnerability. For example, Internet Explorer warns users when a local resource such as an HTML file attempts to invoke client side scripting. I feel this is an important security feature because of user expectations: even the most sophisticated users differentiate between the risk of clicking on an executable they have downloaded (risk perceived to be higher) to clicking on a HTML file they have downloaded (risk perceived to be lower).

3. [Undisclosed]. The third issue I reported to Apple is a high risk vulnerability in Safari that can be used to remotely steal local files from the user’s file system.

Remarkable and not  understandable: Apple let Nitesh Dhanjani know that they will fix only 1 of the issues he reported.

My advice: as long Apple haven’t fixed all the three issues mentioned in the original advisory, for security reasons don’t use Apple’s Safari (anymore).


May 31, 2008 - Posted by | Advisories, Alerts, Downloads, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , , , , , ,

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: