May 30th, 2008

Microsoft issues Safari-to-IE blended threat warning

Posted by Ryan Naraine @ 5:16 pm

Categories: Apple, Arbitrary Code Execution, Browsers, Complex Attacks, Exploit code, Hackers, Microsoft, Patch Watch, Responsible disclosure, Vulnerability research, Windows Vista

Tags: Apple Safari, Microsoft Corp., Microsoft Windows, Web Browsers, Operating Systems, Security, Software, Internet, Ryan Naraine

Microsoft has issued a formal security advisory with a confirmation of public warnings that the Safari “carpet bombing” vulnerability presents a remote code execution threat on all supported editions of Windows XP and Windows Vista.

The pre-patch advisory from Redmond follows public pressure from the Google-backed StopBadware.org for Apple to rethink its stance that the Safari issue should be considered a serious security vulnerability.

From the Microsoft advisory:

A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user’s machine without prompting, allowing them to be executed.

…An attacker could trick users into visiting a specially crafted Web site that could download content to a user’s machine and execute the content locally using the same permissions as the logged-on user.

 [ SEE: Why Apple must fix Safari 'carpet bombing' flaw immediately ]

According to the advisory, the Windows portion of the blended threat is linked to Internet Explorer (IE 6 and IE 7 on Windows XP and Windows Vista, all service packs included).    Technical details on the combo-threat are being kept under wraps but it is clear that Microsoft has

actual proof of an IE vulnerability can be used in tandem with Nitesh Dhanjani’s Safari bug to launch a malicious executable if a user surfs to a rigged site with Safari.

Officials in the MSRC (Microsoft Security Response Center) held discussions with Apple before releasing the advisory.

[ SEE: Apple under pressure to fix Safari ‘carpet bomb’ flaw ]

As a temporary mitigation, Microsoft recommends that Windows uses restrict the use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.

Alternatively, if you must use Safari, you should change the download location of content in Safari to a location other than ‘Desktop’.   This can be done by launching Safari and using the Edit > Preferences and selecting a different location on the local drive for  Save Downloaded Files to: option.

My previous advice stands.  Uninstall Safari and use an alternative browser on Windows.