Microsoft Warns Of Bug In Apple's Safari

The issue was first reported May 15 by security researcher Nitesh Dhanjani, who disclosed three vulnerabilities in Safari, one of which allows a remote attacker to litter a user's desktop or Downloads directory with executable files in an attack known as carpet bombing. The glitch enables the Safari browser to download any resource, including malicious content, without the user's consent and places it in a default location.

A successful exploitation of the Safari vulnerability would work in conjunction with a bug in Microsoft's Internet Explorer Web browser, which security researchers reported more than a year ago. The attack would require a user to visit a malicious Web page while using Safari, which would trigger the carpet bomb attack and allow exploitation of the IE flaw. When combined, both the Safari and IE vulnerabilities allow malicious executables to be run on a victim's computer, which could allow attackers to take complete control of a user's computer.

Dhanjani also reported a third Safari flaw last week, which allows an attacker to remotely steal local files from the user's system. Apple said that it was working to resolve the issue, according to Dhanjani's blog post.

Dhanjani said in his posting that Apple has only promised to repair one of the three vulnerabilities detected last week and has not made clear whether there are any scheduled patches down the road for the Safari "carpet bomb" flaw. Apple did not immediately return correspondence from ChannelWeb.

The security advisory applies to all customers running Safari on Windows, although Microsoft said that the blended threat would not affect customers who have changed the default location where Safari downloads content to the local drive.

Safari is not the default browser of XP or Vista, but must be independently installed.

Microsoft said in its advisory that it was monitoring the issue and would take "appropriate measures" to protect customers, which could include a solution wrapped up in a service pack, as well as a monthly or out-of-cycle update. Microsoft also noted that it is currently working with researchers at Apple to address the issue.

So far, Microsoft claims that it is unaware of any current "loose in the wild" attacks that exploit the vulnerability.

Until an appropriate fix is released, Microsoft recommends that users limit their use of the Safari browser when surfing the Web .