Microsoft advises Windows users to restrict use of Apple’s Safari web browser

Microsoft has issued a “Microsoft Security Advisory (953818), ‘Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform,'” that states:

Microsoft is investigating new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed. Safari is not installed with Windows XP or Windows Vista by default; it must be installed independently or through the Apple Software Update application. Customers running Safari on Windows should review this advisory.

At the present time, Microsoft is unaware of any attacks attempting to exploit this blended threat. Upon completion of this investigation, Microsoft will take the appropriate measures to protect our customers. This may include providing a solution through a service pack, the monthly update process, or an out-of-cycle security update, depending on customers needs.

Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.

Suggested Action: Restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.

Microsoft has tested the following workaround:
• Change the download location of content in Safari to a location other than ‘Desktop.’
• Launch Safari. Under the Edit menu select Preferences.
• At the option where it states Save Downloaded Files to: select a different location on the local drive.

MacDailyNews Note We have also tested a workaround (and it succeeds beyond your wildest dreams):
Get a Mac.

Full advisory here.

[Thanks to MacDailyNews Reader “Bizarro Ballmer” for the heads up.]

MacDailyNews Take: This is like Typhoid Mary advising on food safety.

62 Comments

  1. It’s interesting that they don’t say, “We have advised Apple about this problem,” it says, in too many words, “Microsoft will take.. measures… this may include a service pack, the monthly update, or a security update.” They have exonerated Apple.

    It’s very clear that this is a WIndows problem that Safari exposes, not a Safari problem. In fact, it is so clearly a Windows problem that Microsoft can’t deny it.

  2. I don’ remember Microsoft ever recomending users not to use IE on the Windows platform. That is weird considering that that IE has been the less secure browser since its inception…

  3. Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.

    Suggested Action: Restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.

    Um…isn’t the obvious course of action to change the location where Safari downloads content from the default?

  4. “read: “we are rather unhappy about Safari’s growing market share”!”

    Couldn’t agree more. Safari now has a .21% Market share on Windows. I betcha Ballmar is throwing chairs. Microsoft is SCARED!!!! This is HUGE!!!!!!!!!!!!!!

  5. ‘This may include providing a solution through a service pack, the monthly update process, or an out-of-cycle security update….’

    Yeah, you know the service pack named Windows 7….. but until such time we’ll just get you to stop using that pesky browser.

    What if Apple stymies their stymie and just brings out Safari 3.1.2 for Windows that just plain refuses to download to the Desktop – or at least warns the hapless user that they are a fsking twat for attempting to do so?

  6. +++

    BUT remember Apple sucks at security patches as in the 3 iCal security patches that Core Security was working with Apple for 7 months on getting patched and Apple just kept giving excuses to fix. Apple just plain and simple SUCKs at fixing security patches. They could fix these problems in a week if they wanted.

    Some penetration testers podcasters have commented on how BAD Apple is at fixing vulnerabilities. Take that what 20 Billion in the bank and hire 4 people that find vulnerabilities. and fix them ASAP

    +++

    +++

  7. Okay, here begins the hue and cry, and if I had a castle, the villagers would be on the way with pitchforks and torches:

    Microsoft isn’t really evil. They think they are still a small company and behave like it. They also forget from time to time that there is an outside world, and they get scared when they suddenly realize there is one.

    Case in point on forgetting their is an outside world: If you try to connect to a VPN and fail, Vista has a troubleshooter, which of course can’t find the problem. At the end it recommends that you check to see if the computer is on. Now that makes no sense whatsoever to someone in Chicago trying to connect to their company’s VPN in New York, but it does make sense if you are on the Microsoft campus and the other computer is in the next room and you can walk over and check.

    Microsoft also does not understand why they are in the fix they are in. The monopoly stuff scared them witless. They started a partner program to make friends with their adversaries, and lost their focus on users, and with the second half of that begins their downfall. Their products are designed for salesmen and developers, not users.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.