A security researcher has published a demonstration exploit that takes advantage of the download mechanism in Apple's Safari browser to automatically download files onto a user's system.
Nevertheless, Apple said it does not consider the issue a security vulnerability, according to Nitesh Dhanjani, a researcher who currently leads application security efforts at professional services company Ernst & Young.
Enterprises have begun paying closer attention to Safari in recent weeks because of a rise in the browser's market share on Windows. Safari is the built-in browser on Mac OS X.
The problem arises "because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource," Dhanjani said in a recent blog post.
He published a sample cgi script that automatically downloads large numbers of files to Safari's default download directory. "The implication of this is obvious: Malware downloaded to the user's desktop without the user's consent," Dhanjani said.
Apple told Dhanjani it did not consider the issue a security problem, but would consider the ability to warn before downloading content as a feature enhancement.
"Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads," Apple said in an email quoted by Dhanjani. "This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated."
A second problem is that Safari doesn't warn when local resources such as HTML files attempt to invoke client-side scripting, which could be a problem in part because Internet Explorer does warn in such cases, Dhanjani said.
"I feel this is an important security feature because of user expectations: even the most sophisticated users differentiate between the risk of clicking on an executable they have downloaded (risk perceived to be higher) to clicking on a HTML file they have downloaded (risk perceived to be lower)," he wrote.
Apple responded to Dhanjani that it would investigate the matter as a security hardening measure but that it would take "a fairly deep investigation to address compatibility issues."