June 1, 2008 (Computerworld)
In an unusual move, Microsoft Corp. on Friday warned Windows users to swear off Apple Inc.'s Safari Web browser until a patch is available that plugs holes that could let attackers to compromise computers.
One security researcher noted that Microsoft's public warning -- and
Apple's silence on the subject -- are typical for the two rivals and
illustrate their different approaches to security.
Friday, the Microsoft Security Response Center (MSRC) issued a security advisory for what it called a "blended threat" caused by combination of a bug in Apple's Safari Web browser and a vulnerability in how Windows XP and Windows Vista handle executable files placed on the desktop.
"Microsoft is investigating new public reports of a blended threat
that allows remote code execution on all supported versions of Windows
XP and Windows Vista when Apple's Safari for Windows has been
installed," said the advisory.
The Safari bug Microsoft
referred to is the same one disclosed two weeks ago by researcher
Nitesh Dhanjani, which Apple declined to treat as a security issue,
said Andrew Storms, director of security operations at nCircle Network
Security Inc. "Clearly, that's what they're talking about," said
Storms.
In mid-May, Dhanjani posted information about what he dubbed a "carpet bomb" attack
made possible because Safari lacks an option to require a user's
permission to download a file. Attackers, Dhanjani claimed, could
populate a malicious site with rogue code that Safari would
automatically download to the desktop.
Apple told Dhanjani
that it did not consider the problem a security issue, but might fix it
in a future Safari update. The next week, the anti-malware group
Stopbadware.org criticized Apple for that position. "We encourage Apple
to reconsider its stance and treat this as the security issue that it
is," said the group in a statement May 19.
Then on Friday,
Microsoft also fingered Safari as a problem. "Restrict use of Safari as
a Web browser until an appropriate update is available from Microsoft
and/or Apple," the company told users in the advisory.
But
Microsoft also admitted that a successful attack would require not only
leveraging the Safari bug, but also exploiting a vulnerability in its
own software. "A combination of the default download location in Safari
and how the Windows desktop handles executables creates a blended
threat in which files may be downloaded to a user's machine without
prompting, allowing them to be executed," said Microsoft.
In
the advisory, Microsoft called out Windows XP -- including SP3, the
newest service pack -- and Windows Vista as vulnerable, as well as
Internet Explorer (IE) 6 and Internet Explorer 7.
Microsoft,
however, did not delve into details of the Windows and/or IE
vulnerabilities that could be combined with the Safari bug to hack PCs.
Aviv Raff, an Israeli security research, filled in some of the
blanks. On Saturday, Raff said that a vulnerability in IE he had
reported more than a year ago was the Microsoft side of the blended
threat. "The combined attack requires IE," Raff said in a e-mail,
answering questions about the source of the Windows-side flaw.
He would not, however, get specific about the vulnerability. In a post to his own blog earlier Saturday, Raff said he would not publicly disclose any details until Microsoft or Apple patched the problem.
But he did ding Microsoft for telling users that they could prevent
attacks by changing the default download location for files retrieved
using Safari. "I can only say that Microsoft's suggestion for a
workaround is not enough," said Raff in his blog post. "There are other
vulnerabilities which can be combined with the Safari vulnerability to
execute code," he added in the e-mail.
Continues : http://computerworld.com/
