Microsoft warns Apple Safari users of new vulnerability

In a warning issued to customers late Friday, Microsoft urged Safari users to change the browser's default download location.

Microsoft issued an advisory late Friday warning users of Apple's Safari browser that it is vulnerable to a blended threat that allows remote code execution.

We've activated our Software Security Incident Response Process (SSIRP) and are working with our colleagues at Apple to investigate the issue.
Tim Rains,
product managerMicrosoft Malware Protection Center

The vulnerability can be exploited on all supported versions of Windows XP and Windows Vista, Microsoft said in its advisory.

The problem is a bug in the default download location in Safari and in the way Windows handles executable files. An attacker could exploit the vulnerability by tricking users into visiting a website to download malicious content to the user's machine.

"We've activated our Software Security Incident Response Process (SSIRP) and are working with our colleagues at Apple to investigate the issue," Microsoft's Tim Rains, a product manager in the Microsoft Malware Protection Center said in the Microsoft Security Response blog.

Apple released Safari for Windows last year. In March, it made the browser available to Windows users of iTunes by default during a software update.

Rains said Microsoft is not aware of any attacks in the wild. As a workaround, Microsoft is advising Safari users to change the default location where Safari downloads content to the local drive.

The issue could stem from a warning from security researcher Nitesh Dhanjani earlier this month, who discovered a way for a malicious website to litter a Safari user's desktop or downloads directory with files. Dhanjani described the problem calling it a Safari carpet bomb, on his blog. Dhanjani discovered three issues with Safari and said he has been working with Apple to resolve them.

Dig deeper on Web Browser Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close