Microsoft warns Apple Safari users of new vulnerability

By SearchSecurity.com Staff 31 May 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft issued an advisory late Friday warning users of Apple's Safari browser that it is vulnerable to a blended threat that allows remote code execution.

We've activated our Software Security Incident Response Process (SSIRP) and are working with our colleagues at Apple to investigate the issue. Tim Rains, product manager, Microsoft Malware Protection Center

The vulnerability can be exploited on all supported versions of Windows XP and Windows Vista, Microsoft said in its advisory.

The problem is a bug in the default download location in Safari and in the way Windows handles executable files. An attacker could exploit the vulnerability by tricking users into visiting a website to download malicious content to the user's machine.

"We've activated our Software Security Incident Response Process (SSIRP) and are working with our colleagues at Apple to investigate the issue," Microsoft's Tim Rains, a product manager in the Microsoft Malware Protection Center said in the Microsoft Security Response blog.

Apple released Safari for Windows last year. In March, it made the browser available to Windows users of iTunes by default during a software update.

Rains said Microsoft is not aware of any attacks in the wild. As a workaround, Microsoft is advising Safari users to change the default location where Safari downloads content to the local drive.

The issue could stem from a warning from security researcher Nitesh Dhanjani earlier this month, who discovered a way for a malicious website to litter a Safari user's desktop or downloads directory with files. Dhanjani described the problem calling it a Safari carpet bomb, on his blog. Dhanjani discovered three issues with Safari and said he has been working with Apple to resolve them.

Tags: Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Browser Security Security researchers develop browser-based darknet Microsoft cracks down on click fraud ring Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates IT pros can detect, prevent website vulnerabilities, thwart attacks Stolen FTP credentials likely in massive website attacks Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits Google study backs browser silent auto update feature Firefox update addresses several security flaws Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary browser hijacker  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) honey monkey  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) NCSA  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary