Network News

X My Profile
View More Activity

Microsoft: Safari Flaw a Danger to Windows Users

Microsoft warned on Friday that Apple's Safari Web browser for Windows exposes PCs to a security hole that permits potentially malicious files to be downloaded to a user's machine and run without prompting the user.

Microsoft's advisory comes two weeks after security researcher Nitesh Dhanjani warned both Redmond and Cupertino that Safari introduces a vulnerability in Windows and OS X machines, which allows any rogue Web site to "carpet bomb" the user's Desktop (Windows), or Downloads directory (Apple), with unwanted files (Safari is not installed by default on Windows machines).

Screenshot: Nitesh Dhanjani

Dhanjani said Apple indicated it wasn't in a hurry to fix the Windows vulnerability, if it ever got around to it.

"Apple does not feel this is a issue they want to tackle at this time," Dhanjani wrote on his blog. "In my most recent email to Apple, I suggested that they incorporate an option in Safari so the browser can be configured to ask the user before anything is downloaded to the local file system. Apple agreed it was a good suggestion:

'...the ability to have a preference to "Ask me before downloading anything" is a good suggestion. We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.'"

Microsoft evidently considers it a big deal: The software giant said in its advisory that it may release a security update to address the issue. Microsoft said the problem stems from a combination of the default download location in Safari and how the Windows desktop handles executables, which creates a situation in which files may be downloaded to a user's machine without prompting and allowing them to be executed.

Microsoft says that in the meantime, Windows users who wish to continue using Safari despite the vulnerability should change the default download location of content in Safari to a location other than 'Desktop'. To do this:

- Launch Safari. Under the Edit menu, select Preferences.

- At the option where it states Save Downloaded Files to, select a different location on the local drive.

While this vulnerability applies to both Mac and Windows machines, Apple has done a remarkable job introducing security holes in the Windows version of Safari that are not present in the version designed to run on Macs. Since Safari for Windows came out of the beta phase, Apple has patched at least 17 vulnerabilities. In the same time period, Apple fixed just 12 security flaws in the Mac version.

By Brian Krebs  |  May 31, 2008; 4:55 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: New Trillian IM Software Fixes Three Security Holes
Next: Beware of Error Messages At Bank Sites

Comments

Another reason why they shouldn't have *pushed* their crappy browser on windows users to begin with.

Posted by: Paul | May 31, 2008 6:37 PM | Report abuse

Microsoft should simply release a security patch that will remove Safari. If Apple whines about monopolies or unfair practices, Microsoft can honestly claim that it's an important security issue.

Posted by: ggordon | May 31, 2008 6:54 PM | Report abuse

Kinda reminds me of the breezy early days of Windows design when the Microsoft developers were described as chanting the ditty "The job's not done until 1-2-3 won't run." Lotus 1-2-3 was the trailblazing spreadsheet software from a Microsoft competitor, market-dominating over the fledgling Excel of the time.


Just like the Microsoft-Apple software market share today.

Posted by: kunino | May 31, 2008 7:53 PM | Report abuse

Apple has no business trying to make a statement on the PC platform. Stick to what they know best -- the Apple stuff. They're just going to hurt themselves.

Posted by: Jim | May 31, 2008 8:07 PM | Report abuse

well its a rotten apple

Posted by: ash | May 31, 2008 9:31 PM | Report abuse

Apple should stick with the Apple stuff... Apple will never catch up with IE or Firefox with their crappy browser.

Posted by: Hans | May 31, 2008 9:56 PM | Report abuse

Windows vulnerabilities? Good.

Posted by: res08hao | May 31, 2008 10:31 PM | Report abuse

This vulnerability is only as such if the imbecile who opens something out of curiosity blames it on someone else. As far as I am concerned, this just opens the possibility for a hacker to save a file on the system that fills the drive; not a possible virus being run because someone said "what is this?" That is unless they are that imbecile i mentioned above.

Posted by: debug | May 31, 2008 11:10 PM | Report abuse

Posted by: debunker | May 31, 2008 11:44 PM | Report abuse

Does anyone know what MS is referring to regarding the "executing" bit of the advisory? The advisory states that this is a "blended threat", one part is the dwnload behaviour of Safari, and the second part is "how the Windows desktop handles executables".

The only part that has gotten wind in the press is the "dont use Safari" part. What is it with the desktop in Windows that is dangerous? My Computer.EXE with a nice logo? Or is it part of the search path?

Posted by: Magnum | June 1, 2008 3:31 AM | Report abuse

There is a better tabbed browser than Safari. It is elinks: http://elinks.or.cz It is one of the fastest browsers known to man.

Browsers like Firefox and Seamonkey are safer than Safari because they can run NoScript (Noscript.net).

The Washington Post forces users to leave Javascript turned on in order to use all the features of the site. This is not necessary and superior functionality could be obtained without Javascript. Forcing readers to turn on Javascript threatens their security and threatens the security of the United States of America. That might be acceptable for Bush "Pioneer" Tom Ridge, but for Americans of freedom who love our country, forced Javascript is almost treason.

http://www.tpj.org/page_view.jsp?pageid=203&pubid=85

Posted by: Singing Senator | June 1, 2008 8:12 AM | Report abuse

Spammers: Here we come - instant mass delivery direct to the Windows Desktop!

Posted by: L.Kramer | June 1, 2008 8:13 AM | Report abuse

For pure entertainment value, someone should go on slashdot and post a rumor that Microsoft is going to add Safari to next month's Mac-licious err, Malicious Software Removal Tool distro.

Posted by: OhioMC | June 1, 2008 9:32 AM | Report abuse

"Microsoft said the problem stems from a combination of the default download location in Safari and how the Windows desktop handles executables, which creates a situation in which files may be downloaded to a user's machine without prompting and allowing them to be executed."

This is a fault with Windows desktop as much as Safari. Microsoft though doesn't provide guidelines for avoiding these "bugs" -
indeed, why would the desktop be more vulnerable than any other folder? Physician- heal thyself...

Posted by: squeak | June 1, 2008 9:36 AM | Report abuse

"...forced Javascript is almost treason."
Posted by: Singing Senator

I believe that Benjamin Franklin first declared this in January of 1764. Of course, no one had a clue what he was talking about. Efforts by Franklin to introduce freedom from forced javascript as another of the inalienable rights presented to King George were hastily surpressed by Jefferson, who noted "What the bleeding heck is javascript?!"

Posted by: Patrick Huss | June 1, 2008 11:30 AM | Report abuse

The Desktop is more vulnerable than other folders because people use it as a navigation tool. What happens if I make my malware have the icon and name of "My Computer", "Recycle Bin", or "Microsoft Office Word"? One of the good things that came with XP SP2 is that it tags executables from the Internet, and prompts you before you run them. Safari does not, to my knowledge, take advantage of that functionality. This is, in fact, a very serious vulnerability on the part of Safari.

Posted by: Nathan | June 1, 2008 12:11 PM | Report abuse

Some campaigns are still following the Ralph Reed model. But if you would rather see resources directed toward the LAMP stack than the Ralph Reed crowd, readers of this column might be interested in the following employment opportunities:

http://news.slashdot.org/news/08/05/31/2341201.shtml

Posted by: Singing Senator | June 1, 2008 1:48 PM | Report abuse

"... introduce freedom from forced javascript as another of the inalienable rights presented to King George were hastily surpressed by Jefferson, who noted "What the bleeding heck is javascript?!"


Posted by: Patrick Huss | June 1, 2008 11:30 AM "

Paddy,

Thanks for the laugh, but I sure hope it's not the "Singing Senator" who once wanted a 'Broil' option on his remote desktop, or you are in soooooooo much trouble!

http://www.cbsnews.com/stories/2003/05/02/tech/main551969.shtml

Posted by: GTexas | June 1, 2008 4:51 PM | Report abuse

It just goes to show you three things about Apple:

1) They have a long track record of horrible/sub standard developing and testing software on Windows platforms.
2) They have a long track record of not caring about the quality of their Software on Windows Platforms
3) Cares more about the User interface than Security with all their products. This is the exact same attitude Netscape took when AOL bought them out. Look where Netscape's browser is today.

Posted by: SEO Marketing Guru | June 1, 2008 10:24 PM | Report abuse

Want a secure computer? Try not running the sieve known as Windows and the abomination known as IE - Microsoft's contribution to the internet. Because IE is there to let you know that Microsoft really cares.

Posted by: The Anti-SEO Marketing Guru | June 1, 2008 10:58 PM | Report abuse

LOL Like Macs are more secure than Windows OS.

Posted by: The Anti-Anti-SEO Marketing Guru | June 1, 2008 11:59 PM | Report abuse

@debug Try telling that to my grandfather. Blaming the user for clicking on a link that's going to "carpet bomb" their desktop is ridiculous. Apple, fix it. Otherwise, I say FAIL.

Posted by: jw | June 2, 2008 1:49 AM | Report abuse

@Magnum according to Aviv Raff, the security researcher who reported this issue to M$, this is a "blended attack" with Internet Explorer: http://aviv.raffon.net/2008/05/31/SafariPwnsInternetExplorer.aspx

Posted by: pq | June 2, 2008 2:56 AM | Report abuse

"Paddy,

Thanks for the laugh, but I sure hope it's not the "Singing Senator" who once wanted a 'Broil' option on his remote desktop, or you are in soooooooo much trouble!

http://www.cbsnews.com/stories/2003/05/02/tech/main551969.shtml"


Posted by: GTexas | June 1, 2008 4:51 PM

OMG, he actually suggested that? Could someone please tell me what songs Sen. Hatch gets royalties from? I want to download them before he adds the "doomsday code". ;)

Posted by: Patrick Huss | June 2, 2008 11:27 AM | Report abuse

Question: Why is Safari a problem on PCs, but not on Macs or iPhones?

Posted by: Fred | June 3, 2008 10:49 AM | Report abuse

It's pretty sure Bill Gates doesn't use a computer, otherwise he would order a complete re-do of all the systems. i.e. start from scratch again but using a completely different set of priorities and goals. The present comp systems together with IE just show childish naivety of adhering to the freedom of expression concept in a WWW scenario... free-for-all including nutcases and criminals.

Posted by: vancats1938 | June 4, 2008 12:04 PM | Report abuse

-_-
Couldn't that happen even if Safari wasn't installed onto XP in the first place?

Posted by: Kitty | June 4, 2008 6:26 PM | Report abuse

Many of these comments are OT and many more are puerile. Such as those by Paul and ggordon. There's nothing quite as ludicrous as someone after all these years sticking with a platform Bruce Schneier says should be avoided like the plague commenting on software from other sources. Do Apple have things to learn about security? Yes. Everyone does. Do Apple have things to learn about Microsoft (lack of) security? Of course - it's a bottomless topic and Moz have even been hammered for flaws in M$ code. Is Safari better than Internet Explorer? My friends: anything is better than Internet Explorer just as anything is better than M$ Windows. Grow up.

Posted by: Rick | June 7, 2008 7:48 AM | Report abuse

@Rick

Trolling hard there I see. Your post has "Pot meet kettle!" written all over it. Very puerile indeed!

Posted by: TJ | June 8, 2008 6:16 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company