Microsoft has issued a “Microsoft Security Advisory (953818), ‘Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform,'” that states:
Microsoft is investigating new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed. Safari is not installed with Windows XP or Windows Vista by default; it must be installed independently or through the Apple Software Update application. Customers running Safari on Windows should review this advisory.
At the present time, Microsoft is unaware of any attacks attempting to exploit this blended threat. Upon completion of this investigation, Microsoft will take the appropriate measures to protect our customers. This may include providing a solution through a service pack, the monthly update process, or an out-of-cycle security update, depending on customers needs.
Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.
Suggested Action: Restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.
Microsoft has tested the following workaround:
• Change the download location of content in Safari to a location other than ‘Desktop.’
• Launch Safari. Under the Edit menu select Preferences.
• At the option where it states Save Downloaded Files to: select a different location on the local drive.
MacDailyNews Note We have also tested a workaround (and it succeeds beyond your wildest dreams):
• Get a Mac.
Full advisory here.
[Thanks to MacDailyNews Reader “Bizarro Ballmer” for the heads up.]
MacDailyNews Take: This is like Typhoid Mary advising on food safety.
Hey! I only carried one virus. Don’t compare me to MS, with their 120,000+ viruses!
It’s interesting that they don’t say, “We have advised Apple about this problem,” it says, in too many words, “Microsoft will take.. measures… this may include a service pack, the monthly update, or a security update.” They have exonerated Apple.
It’s very clear that this is a WIndows problem that Safari exposes, not a Safari problem. In fact, it is so clearly a Windows problem that Microsoft can’t deny it.
I don’ remember Microsoft ever recomending users not to use IE on the Windows platform. That is weird considering that that IE has been the less secure browser since its inception…
Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.
Suggested Action: Restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.
Um…isn’t the obvious course of action to change the location where Safari downloads content from the default?
Another opportunity for Safari to get installed on some more PC’s.
If you don’t have Safari will you get the notification anyways for “new software available” when the update is released?
read: “we are rather unhappy about Safari’s growing market share”!
Micro$oft is a virus!!!
“read: “we are rather unhappy about Safari’s growing market share”!”
Couldn’t agree more. Safari now has a .21% Market share on Windows. I betcha Ballmar is throwing chairs. Microsoft is SCARED!!!! This is HUGE!!!!!!!!!!!!!!
How DESPERATE M$ is.
‘This may include providing a solution through a service pack, the monthly update process, or an out-of-cycle security update….’
Yeah, you know the service pack named Windows 7….. but until such time we’ll just get you to stop using that pesky browser.
What if Apple stymies their stymie and just brings out Safari 3.1.2 for Windows that just plain refuses to download to the Desktop – or at least warns the hapless user that they are a fsking twat for attempting to do so?
+++
BUT remember Apple sucks at security patches as in the 3 iCal security patches that Core Security was working with Apple for 7 months on getting patched and Apple just kept giving excuses to fix. Apple just plain and simple SUCKs at fixing security patches. They could fix these problems in a week if they wanted.
Some penetration testers podcasters have commented on how BAD Apple is at fixing vulnerabilities. Take that what 20 Billion in the bank and hire 4 people that find vulnerabilities. and fix them ASAP
+++
+++
Okay, here begins the hue and cry, and if I had a castle, the villagers would be on the way with pitchforks and torches:
Microsoft isn’t really evil. They think they are still a small company and behave like it. They also forget from time to time that there is an outside world, and they get scared when they suddenly realize there is one.
Case in point on forgetting their is an outside world: If you try to connect to a VPN and fail, Vista has a troubleshooter, which of course can’t find the problem. At the end it recommends that you check to see if the computer is on. Now that makes no sense whatsoever to someone in Chicago trying to connect to their company’s VPN in New York, but it does make sense if you are on the Microsoft campus and the other computer is in the next room and you can walk over and check.
Microsoft also does not understand why they are in the fix they are in. The monopoly stuff scared them witless. They started a partner program to make friends with their adversaries, and lost their focus on users, and with the second half of that begins their downfall. Their products are designed for salesmen and developers, not users.
What the hell is a “blended” threat? It must mean that the vulnerability involves Safari, but it’s Microsoft’s fault.
Yes, I agree, Apple thinks they don’t have to fix these vulnerabilities. I hope they get majorly hacked and then they will learn to fix their shit FAST!
When has Microsoft EVER focused on users???? They’ve always been focused on IT. Users don’t count at Microsoft, and they never have.
see also
<http://blogs.zdnet.com/security/?p=1230>
Oh yeah, Apple is so lax on security and putting out fixes that systems running Mac OS X are being hacked at will on a daily basis. Oh wait, they aren’t? Umm, uh, well….
Security issues aside, because a problem should always be fixed, but when was the last time Microsoft advised their users to stop using IE altogether when there was a problem? Oh right, that would mean not using it ever.
Yeah, no…
I use Firefox and Safari primarily on my XP and Vista virtualizations. I only use IE7 when updating is needed. Firefox is just faster, and Safari has greater font rendering ability. Pics look better too!
@Steve…
Funny, I have never had a security issue with OS X, iCal, Safari, etc…
In case anyone is interested in the facts behind this …
It’s basically the Safari “carpet bomb” flaw (which isn’t really a flaw), in combination with the IE habit of executing any code handed to it on Windows.
Safari automatically downloads stuff to the desktop from a site without asking your permission, because Apple feels that if you went to that site on purpose then the download is what you want. The stuff downloaded can’t affect a mac computer anyway so all it can ever be for a mac user is a minor annoyance that can be stopped by going to a different site or turning off the browser. Also on a Mac, any code or files downloaded form a website have to be authorised before they will run, whereas on Windows, they just run.
On Windows this can be used to execute random code due to the IE flaws. So it’s really a MS, Windows-based problem in the long run.
quote – Microsoft will take the appropriate measures to protect our customers. – /quote
Now that’s funny.
D
This is like Typhoid Mary advising on food safety.
Or the village slut lecturing on STD’s.
Then again if anyone knows about handling security crises, it’s MS.
To be fair, Microsoft is right. You really shouldn’t be using Safari on Windows. In the spirit of full disclosure however, they should advise their users not to use anything with Windows.
Typhoid Mary said: “Hey! I only carried one virus. Don’t compare me to MS, with their 120,000+ viruses!”
I believe it would be a bacterium: Salmonella enterica serovar Typhi. But maybe you had a virus too.