Microsoft warns of blended Safari attack
Published: 04 Jun 2008 12:18 BST
Microsoft has issued an advisory warning Windows users who have installed the Apple Safari for Windows browser that their systems may be vulnerable to attack.
The Safari 'carpet bombing' attack was first described by researcher Nitesh Dhanjani last month, but dismissed by Apple as a serious threat. Under Dhanjani's scenario, a user would surf using Apple Safari for Windows to a malicious website crafted in the following format: http://malicious.example.com/. Dhanjani says if Safari sees a content type in the format blah/blah it does not know how to renfer the proper correct result, so it starts downloading carpet_bomb.cgi, executing the downloaded files with the same rights as the logged-on user. The end result is the victim's desktop is populated with a variety of malicious files.
ZDNet.co.uk blogs
ISO's OOXML committee in ODF takeover bid?
The standards world continues to surprise us - this time with what has been described as a 'coup'...
Microsoft says it is the combination of the default download file location in Safari and how the Windows desktop handles the files that creates the blended threat on all supported versions of Windows XP and Windows Vista when Apple's Safari for Windows has been installed.
Microsoft notes that users who change the default Safari download location are not affected. Its advises users that, to change the download location in Safari, under Edit, select Preferences. Where it says 'Save Downloaded Files to', change the location.
Microsoft said it may follow the advisory with a security update if needed.
Did you find this article useful?
3 out of 5 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
