Daily cyber threats and internet security news: network security, online safety and latest security alerts
June 3rd, 2008

Microsoft Alerts Users Not To Use Safari Due To Carpet Bombing Vulnerability

Microsoft has released Security Advisory (953818) to address reports of a blended threat that affects Windows users who have installed Apple’s Safari web browser. According to the advisory, by convincing a user to visit a specially crafted website, an attacker may be able to execute arbitrary code on an affected system due to Safari’s default file downloading behavior and the way that Windows Internet Explorer handles the downloaded files.

Nitesh Dhanjani has disclosed around middle of last month a vulnerability in Safari (and the way it interacts with Windows and OSX) that allows a remote malicious user to download several files unknowingly to the user’s default download folder (Desktop for Windows and Downloads for OSX). The attack has been dubbed carpet bombing because of its potential to plant multiple malicious files that can in turn obliterate the user’s PC into a digital mess.

The security researcher has been able to show that Safari doesn’t ask for user permission when downloading resources. He set up a sample malicious Web site that served malicious iFrames. He accessed the site using Safari and found that the browser automatically downloads the files multiple times (hence, carpet bombing), storing copies of these in said folders without first waiting for user commands or showing some dialog box informing the user of what is happening. The report includes a screenshot of the potential danger the automatic download action can cause.

Apple is treating this reported vulnerability not as a security issue, but as another avenue to create an additional enhancement to prevent unwanted downloads.

Microsoft recommends users avoid using Safari until researchers have looked into the browser, and until appropriate updates are provided by either Microsoft or Apple. Users are encouraged to change the download location of files by editing user preferences in Safari.

Share this item with others:

More on CyberInsecure:
  • Carpet-bombing Vulnerability In Google Chrome New Browser
  • Apple Safari Domain Extensions Insecure Cookie Access Vulnerability
  • Microsoft’s “Experimental Security Fix” Is Actually A Malware
  • Privacy Flaw Found In Apple Safari RSS Reader
  • IE8, Firefox And Safari Exploited At CanSecWest Security Conference

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Microsoft Alerts Users Not To Use Safari Due To Carpet Bombing Vulnerability

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.