Microsoft has warned Windows users of the dangerous Apple’s Safari for Windows flaw reported on May 15 by security researcher Nitesh Dhanjani. As per Dhanjani, the attack termed as “carpet bombing” exposes a security hole that allows downloading of potentially malicious executables on the victim’s desktop. These malicious executables run automatically as normal Windows executables.
Thus, it’s obvious that Safari can be used to victimize if it runs on Windows-based systems.
Dhanjani wrote on his blog, “Apple does not feel this is an issue they want to tackle at this time.” While Apple takes it as “enhancement request”, according to Aviv Raff, a security researcher, exploitation of the “carpet bombing” flaw with an IE bug could enable unauthorized access to attackers for running malicious software on the victim’s computer.
Raff had reported the bug more than a year ago. The attack executes when a maliciously crafted Web site is visited by a victim on a Safari browser that triggers the “carpet bombing” attack and exploits the IE flaw. Even if the download location in Safari is changed, the Safari/IE flaw would still remain exploitable, according to Raff. Though both vulnerabilities are moderately on individual grounds, together they can create a critical flaw.
Having warned Windows users of the flaw, Microsoft has also addressed the issue. In their security advisory, they recommend that Windows users restrict usage of the Safari browser until such a time the update patch is made available. And that users change the download location to other than the desktop if at all they wish to continue to use Safari. All versions of Windows XP and Vista are affected by this flaw.