Microsoft has warned Web surfers about a Safari vulnerability that could put Windows users at risk. The flaw was one of three first found by researcher Nitesh Dhanjani. One of the bugs Dhanjani found was serious enough to be kept secret until a fix is found. However, Apple said it does not consider the problem Microsoft has drawn attention to a security issue. A flaw in Apple’s (Nasdaq: AAPL) Safari Web browser has caught the attention of Microsoft’s (Nasdaq: MSFT) security team. The software maker has released an advisory for Windows XP and Windows Vista users running Safari, informing them that Microsoft has begun investigating a vulnerability discovered two weeks earlier by Nitesh Dhanjani, a security researcher.

One of three bugs Dhanjani found in connection with Safari, the flaw exposes PC users to a “carpet bomb” attack, allowing potentially malicious files to be downloaded to and run on a PC without the owners’ consent.

Apple, according to a post on Dhanjani’s blog, does not consider this issue to be “security related” despite evidence that the vulnerability also affects Mac OS X users.

“Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads,” Apple said in a response quoted on Dhanjani’s site.

Apple did not respond to a request for comment.

Windows on Safari

The issue here is twofold and involves the way Safari handles user downloads and the way Windows executes user downloads, Chenxi Wang, a Forrester Research analyst, told MacNewsWorld.

In what’s known as a “blended attack,” hackers take advantage of two relatively innocuous vulnerabilities. In this instance, the Safari side of the problem is a default setting in the browser that allows content to download to a user’s desktop or download folder without the user’s permission.

Meanwhile, Windows allows some downloaded files to run automatically, Chris Rodriguez, a Frost & Sullivan analyst, told MacNewsWorld.

That opens the door to a scenario in which a rogue Web site can “litter the user’s Desktop (Windows) or Downloads directory (~/Downloads/in OSX),” Dhanjani explained.

“This can happen because the Safari browser cannot be configured to obtain the user’s permission before it downloads a resource. Safari downloads the resource without the user’s consent and places it in a default location (unless changed),” he wrote.

“The problem is that you visit a Web site and the files are downloaded to your computer and run automatically,” Rodriguez noted.
Who’s Fixin’ It?

The risk to PC users is moderate, according to Andrew Jaquith, an analyst at Yankee Group. Dhanjani’s scenario, he said, requires the user to first, use Safari; second, visit a malicious Web site that causes malicious files to be downloaded automatically; and third, double-click — i.e. execute — on something that was downloaded by this method.

“Most other browsers — including IE (Internet Explorer) — will alert you if you are attempting to download content to your desktop or preferred download folder. Safari doesn’t do that. It should offer users a choice to block the download,” Jaquith explained.

“In general, Apple has had a habit of making its browser setting a little too loose. For example, Safari is configured so that the Open ‘Safe’ Files After Download setting is checked by default. This is pretty irresponsible, in my view, and in the view of just about every security person I know,” he told MacNewsWorld.

However, Jaquith pointed out that this vulnerability is not as serious as the “perennial ‘drive-by’ ActiveX vulnerabilities that affect Internet Explorer.

Posted by Zoov on 04 Jun 2008 03:17 am
Filed Under: Business, Sci-Tech |