Remember the days when leaving a website would spawn a million pop up windows? Substitute executable files on your desktop for pop up windows and you'll understand why a flaw in the current version of Safari for Windows is huge problem.
Microsoft has warned that a previously disclosed flaw in Apple's Safari allows attackers to scatter your desktop with executable files, an attack more commonly known as "carpet bombing."
But the story gets worse if the attack exploits a second bug, this one Internet Explorer, which would allow attackers to launch and run the downloaded executables.
Perhaps in response to Apple's decision to spam Safari to all iTunes users, Microsoft has issued a rather strong security advisory recommending that Windows users "restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple."
However, even if Microsoft patches the IE flaw, Safari users will still be vulnerable. According to security researcher Nitesh Dhanjani, who discovered the Safari bug last month, Apple is not treating the Safari bug as a security issue.
The attack is possible because Safari lacks an option to require a user's permission to download a file, thus Apple's position is that the bug is a user interface design issue, rather than something that can be fixed with a security update. That may be technically correct, but to say this isn't a security issue seems disingenuous.
On the bright side – as far as Microsoft is aware – the attack has not yet been exploited in the wild. But now that the news is widespread, don't expect that to last.
[via MacWorld]
See Also:
