Microsoft urges Windows users to shut down Safari

Responses from Apple and Microsoft typical of their rivalry and different approaches to security

In an unusual move, Microsoft on Friday warned Windows users to swear off Apple 's Safari Web browser until a patch is available that plugs holes that could let attackers to compromise computers.

One security researcher noted that Microsoft's public warning -- and Apple's silence on the subject -- are typical for the two rivals and illustrate their different approaches to security.

Friday, the Microsoft Security Response Center (MSRC) issued a security advisory for what it called a "blended threat" caused by combination of a bug in Apple's Safari Web browser and a vulnerability in how Windows XP and Windows Vista handle executable files placed on the desktop.

"Microsoft is investigating new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple's Safari for Windows has been installed," said the advisory.

The Safari bug Microsoft referred to is the same one disclosed two weeks ago by researcher Nitesh Dhanjani, which Apple declined to treat as a security issue, said Andrew Storms, director of security operations at nCircle Network Security Inc. "Clearly, that's what they're talking about," said Storms.

In mid-May, Dhanjani posted information about what he dubbed a "carpet bomb" attack made possible because Safari lacks an option to require a user's permission to download a file. Attackers, Dhanjani claimed, could populate a malicious site with rogue code that Safari would automatically download to the desktop.

Apple told Dhanjani that it did not consider the problem a security issue, but might fix it in a future Safari update. The next week, the anti-malware group Stopbadware.org criticized Apple for that position. "We encourage Apple to reconsider its stance and treat this as the security issue that it is," said the group in a statement May 19.

Then on Friday, Microsoft also fingered Safari as a problem. "Restrict use of Safari as a Web browser until an appropriate update is available from Microsoft and/or Apple," the company told users in the advisory.

But Microsoft also admitted that a successful attack would require not only leveraging the Safari bug, but also exploiting a vulnerability in its own software. "A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user's machine without prompting, allowing them to be executed," said Microsoft.

In the advisory, Microsoft called out Windows XP -- including SP3, the newest service pack -- and Windows Vista as vulnerable, as well as Internet Explorer (IE) 6 and Internet Explorer 7.

Microsoft, however, did not delve into details of the Windows and/or IE vulnerabilities that could be combined with the Safari bug to hack PCs.

Aviv Raff, an Israeli security research, filled in some of the blanks. On Saturday, Raff said that a vulnerability in IE he had reported more than a year ago was the Microsoft side of the blended threat. "The combined attack requires IE," Raff said in a e-mail, answering questions about the source of the Windows-side flaw.

He would not, however, get specific about the vulnerability. In a post to his own blog earlier Saturday, Raff said he would not publicly disclose any details until Microsoft or Apple patched the problem.

But he did ding Microsoft for telling users that they could prevent attacks by changing the default download location for files retrieved using Safari. "I can only say that Microsoft's suggestion for a workaround is not enough," said Raff in his blog post. "There are other vulnerabilities which can be combined with the Safari vulnerability to execute code," he added in the e-mail.

In the end, Raff's best advice was similar to Microsoft's: "The current best solution is to stop using Safari until Apple fixes their vulnerability," he wrote on his blog. "Even if Microsoft fixes their vulnerability, Safari users will still be vulnerable."

Odd though it is to see Microsoft issue an advisory that calls out software not of its making, the incident is a good example of the contrast between Microsoft's and Apple's approaches to security disclosures, said nCircle's Storms.

"It's not very surprising to see Microsoft in the forefront here," he said. "They're known to issue advisories without having all the information [about a vulnerability] and without a patch. Apple, on the other hand, is completely different. Until they release a patch, they say nothing, and when they patch, it's a complete surprise.

"It's two different ways to handle it," said Storms, explaining that the vastly different approaches stems from their core customer base. "Microsoft has really embraced the enterprise, and decided that disclosure and a regular patch schedule is what the enterprise needs to support and maintain its products.

"Apple, on the other hand, appeals to consumers, and believes that for the majority of consumers, issuing an advisory without a patch would probably just create FUD [fear, uncertainty and doubt]," Storms concluded.

As Storms noted, Apple has remained silent on the Safari carpet bomb problem. Last week, it did not respond to a request for comment on its security team's decision against adding a user-approval option to Safari. The company was not available Saturday.

Microsoft did say that it was working with its rival, however. "[We] are working with our colleagues at Apple to investigate the issue," said Tim Rains, a product manager in Microsoft's malware protection center, in a post to the MSRC blog.

No timetable has been set by Microsoft for patching its software to block combined Safari-IE attacks. As it often does in security advisories, the company only said that it may issue a patch.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?