Microsoft Urges Windows Users to Restrict Use of Safari

Microsoft has warned the users of Windows to restrict the use of Apple Inc.'s Safari as a Web browser until an appropriate update is available from Microsoft and/or Apple. Both the Safari and IE bugs are moderate vulnerabilities that combine, produce a critical flaw which allows remote code execution.

The Safari bug Microsoft referred to is the same one disclosed two weeks ago by researcher Nitesh Dhanjani which allows attackers to litter a victim's desktop with executable files. Such a form of attack, known as "carpet bombing", is possible because Safari lacks an option to require a user's permission to download a file.

The Apple’s refusal to treat the Safari Bug as a security issue illustrates the different approaches to security of the two rivals. Apple told Dhanjani that it might fix the problem in a future Safari update as it did not consider it a security issue. And for that position, it has been criticized by the anti-malware group Stopbadware.org. On May 19, the group issued a statement saying “We encourage Apple to reconsider its stance and treat this as the security issue that it is."

Microsoft Security Response Center (MSRC) has also issued a security advisory for the "blended threat" caused by combination of a bug in Apple's Safari Web browser and vulnerability in how Windows XP and Windows Vista handle executable files placed on the desktop. "Microsoft is investigating new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple's Safari for Windows has been installed," said the advisory.

Microsoft called out Windows XP — including SP3, the newest service pack — and Windows Vista as vulnerable, as well as Internet Explorer 6 and IE 7 in the advisory. It also acknowledged that a successful attack would require not only leveraging the Safari bug, but also exploiting vulnerability in its own software.

"A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user's machine without prompting, allowing them to be executed," said Microsoft.

But it did not delve into details of the Windows or IE vulnerabilities that could be combined with the Safari bug to hack PCs. However it said that it is working with its rival to find a solution. "[We] are working with our colleagues at Apple to investigate the issue," said Tim Rains, a product manager in Microsoft's malware protection center, in a post to the MSRC blog.

Microsoft has not set any timetable for patching its software to block combined Safari-IE attacks. As it often does in security advisories, the company only said that it may issue a patch.