Microsoft has issued a “Microsoft Security Advisory (953818), ‘Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform,'” that states:
Microsoft is investigating new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed. Safari is not installed with Windows XP or Windows Vista by default; it must be installed independently or through the Apple Software Update application. Customers running Safari on Windows should review this advisory.
At the present time, Microsoft is unaware of any attacks attempting to exploit this blended threat. Upon completion of this investigation, Microsoft will take the appropriate measures to protect our customers. This may include providing a solution through a service pack, the monthly update process, or an out-of-cycle security update, depending on customers needs.
Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.
Suggested Action: Restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.
Microsoft has tested the following workaround:
• Change the download location of content in Safari to a location other than ‘Desktop.’
• Launch Safari. Under the Edit menu select Preferences.
• At the option where it states Save Downloaded Files to: select a different location on the local drive.
MacDailyNews Note We have also tested a workaround (and it succeeds beyond your wildest dreams):
• Get a Mac.
Full advisory here.
[Thanks to MacDailyNews Reader “Bizarro Ballmer” for the heads up.]
MacDailyNews Take: This is like Typhoid Mary advising on food safety.
Microsoft advises Windows users to restrict use of Apple’s Safari web browser
That’s a headline? Really??? In other news, GM advised drivers to restrict their use of Hondas and Catholic priests urge followers to restrict their use of Presbyterians!
(Um…I didn’t mean it in that way.)
Apple should include a warning with the download:
ALERT: May be habit-forming. Using this product may lead to restricted use of Internet Explorer for Windows.
@jupiter,
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
I love it when gas giants get technical.
Workaround: don’t use XP
Why in the world doesnt microsoft advise its users to simply not use windows anymore??
really… not trying to be funny…
Microsoft just doesn’t want to lost more people to apple, which is going to happen regardless
Lose more people to apple is what it should say
The Spinning FUDmeisters are at it again!
Of course MS doesn’t want their users see what a modern, web standards compliant browser looks like, works like and feels like. It would illuminate the lie that Internet Expolrer is and has been for years.
Harvey…
The only “user focus” Microsoft has EVER had is how to most effectively empty the users’ pockets.
Now, if only Apple would provide users of Microsoft Office a similar advisory regarding macro viruses. Tsk tsk Apple.
;-D
Dumb IT Guy sez:
“Oh yeah, Apple is so lax on security and putting out fixes that systems running Mac OS X are being hacked at will on a daily basis. Oh wait, they aren’t? Umm, uh, well….”
Just to remind folks of what is probably Bill Gate’s most senile comment of all time, thus far:
“Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine.”
— Bill Gates talking to NewsWeek magazine January 2007
Would you buy a window from this guy? How about Windows?
“Suggested Action: Restrict use of Safari as a web browser until an appropriate update is available from Microsoft”… which will be never.
Those sly foxes at M$… they weren’t born yesterday.
“Microsoft advises Windows users to restrict use of Apple’s Safari web browser”
WWDC is a few days away. FUD timing is everything.
Expect more. MUCH more.
@harvey,
Microsoft is not some nice little company that has lost its way. Its a huge powerful company that has ALWAYS focused on MONEY first. period. How can we get the money from the customer.???
After all, Vista was done for your own good. We check your computer for unlicensed software for your own good. We force DRM on you…….. for your own good.
And do not forget:
“Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine.”
— Bill Gates talking to NewsWeek magazine January 2007
Words from a man who has totally lost all clue as to reality.
Just a thought.
en
Sounds like a preemptive strike – make win-users of Safari unsure of its safety and woo them back to Explorers “safe” environment
Mymac43ever sez:
“Sounds like a preemptive strike – make win-users of Safari unsure of its safety and woo them back to Explorers “safe” environment”
Gates has always gone by the old rule of WC Fields: ‘There’s a sucker born every minute.’ Once he found IBM, of all companies, were incredible suckers, he figured he could con-job just about anyone. Well, he was 90% right.
Meanwhile, anyone with half a brain using Windows knows that the very best way to catch malware off the Internet is to use M$ Internet Explorer. Version 7 has been a horror. I know many people who refuse to update to it, despite all the nagging from M$ via its updaters. M$ announced they are working on Version 8 ASAP just to calm people down.
Haha…
If IE opened up a vulnerability in OS X, you’d be so quick to say: Well, IE sucks… it’s not Apple’s fault… it’s crappy IE software.
The opposite happens… seriously, there are so many hypocrites here. It may come as a surprise to some of you, but Microsoft isn’t as “scared” of Apple as you’d like to believe… and one of the reasons that people stick with Microsoft is their policies are, actually, less autocratic and restrictive than Apple’s. Many people, even Apple developers, despise how Apple feels the need to have its finger in everything.
Apple in its current state will always appeal to a niche market. That niche market likes it that way. If Apple was really on top, there would be no enemy.
When it comes down to it, all technology is more of the same crap. All these squabbles are about the technology used are nothing but “My dad can beat up your dad” arguments.
In the real world, people use what works and is cost-effective. It needn’t necessarily be fancy or pretty, it doesn’t need to be high-end. There are a plethora of different tools that are needed for a plethora of different applications… Apple CAN NOT come near to filling even 1% of those needs.
Apple is able to dictate its needs to people because they make a desirable product which works well in doing what it does.
Seriously, people, I’m writing this on an iMac but I’m not so blind as to worship Apple and think they’re infallible… some of you really need to get a religion or something, because your worship of the Cult of Apple isn’t much different.
@Reality Check: This particular story cannot be reversed. The bug is not in Safari. Safari is exposing a weakness in how Windows (all versions, all patches) and IE deal with executable files. Mac OS X does not have a comparable weakness for your hypothetical IE7 for Mac to expose. In this case we are not blind hypocrites. Not to say Apple couldn’t and shouldn’t address this issue, but it is trivially simple for individual users to seal the hole and avoid exposing the Windows/IE weakness: change the default download folder under Edit:Preferences.
I’ve been reading about this on a few other sites as well. The hysteria is pathetic. Apple cannot program anything correctly. Safari will destroy your whole machine. The only solution is to purge Safari from your computer. Complete and utter crap.
Change the default download folder under Edit:Preferences. Problem solved. How many times does it need to be said?
It seems either people are deeply, deeply stupid, or people are deeply, deeply dishonest. Either is depressing.
… 1rst april il past? Isn’t it?
M$ minds for security security? Well, well…!
@Passerby
It was clear that Microsoft Office for macs had major security issues with entourage. But did Apple come out blaming Microsoft… no…..
This is just an attempt by Microsoft to discredit Apple… and more importantly the iPhone
Incredibly idiotic post from Reality Check. Let’s imagine he was never here. Blind hypocrites do have advantages.
@steve
I absolutely agree. If Apple is to be the computer of choice for the consumers, then they better have a very robust virus search and destroy team. Let’s face it consumers, small business, etc. don’t have IT depts to rely on. We’re relying solely on Apple, and they better be up to the task or risk losing the gains they have made.
Chazzz
@applepi
You’re a little bit over the top, I’d say they do meet more than 1%. But I have to admit, Jobs does keep Apple focused, maybe too focused.
I really admire the job the CEO of Ford is doing. I’ve been watching closely, and actually made a big bet on Ford stock long before Krekorian. However, I am disappointed that Ford went to M$ to develop SYNC, its very desirable system for iPods, iPhones, etal. I’ve seen no discussion in the press if Ford went to Apple, but it seems with Apple’s great ability to design user interfaces, Ford would have gone to Apple first. If they did and were rebuffed, then too bad for Apple, cause everyone’s going to need this technology going forward, or something like it.
What makes you think Apple doesn’t have the best anti virus team in the world? After nearly eight years, there are STILL no OS X viruses in the wild. Do you think that’s just luck?
You admire the CEO of Ford? The same one who couldn’t see that the days of SUVs were limited? We’ve known since 1973 that we needed to produce fuel efficient (and NO, 30mpg is NOT efficient) vehicles, yet Ford has led the charge to 5,000+ lb behemoths with 8-cylinder fuel gobbling engines. Now the company is paying the price, yet you admire this guy?
I suppose you want to blame Ford’s problems on the workers. You must admire how he’s shipping worker jobs off to cheap labor markets so they can remain profitable without having to produce efficient, quality products.
I don’t consider this a bad problem — and it should go without saying that it is less serious than at least one of the other issues Mr. Dhanjani has reported to Apple and that they have, properly, promised to deal with. See here:
http://www.dhanjani.com/archives/2008/05/safari_carpet_bomb.html
Nevertheless, it most certainly is undesirable behaviour. That a browser should download resources automatically, and that it isn’t possible to switch that off, even if the less sensible behaviour is the default, is … well, it’s somewhat breathtaking. And the reply from Apple, quoted by Dhanjani, comes across as insouciant.
Altogether Apple are far too insouciant when it comes to security. And Mac users should be calling for the company to get more serious on security not pretending all is well when it’s not. The MoAB affair ought to have been a wake-up call to the emotionally immature who, apparently, must needs do that, and who are, unfortunately, all too numerous among Mac users (or at least among vocal Mac users). But, of course, it was a wake-up call all too many failed to hear. Apple’s relatively slow times to patch, and, particularly, its unfortunate habit of not rolling in patches in open-source modules in a timely manner should, again, give people pause for thought. These, and a number of other matters, should give Mac users pause for thought or even — can one hope for such a thing? — pause for breath.
But some people, like the Bourbons, are unteachable.
I like Apple’s gear very much, but Apple’s not my damn girlfriend. I’m not so besotted with the company, that I’ll make excuses for it when it doesn’t do or say the right things.
From the point of view of security — let alone anything else — I’d still advise anyone to buy a Mac (or a Linux machine). One could point out, for example, that ActiveX is a far more pressing danger to Windows users than this issue, and running ActiveX is something Microsoft’s browser does by design.
But such comparisons are not really to the point. Apple ought to be taking security far more seriously than it seems to be doing. And, in this particular case, Apple’s reply to Mr. Dhanjani was damn stupid:
…the ability to have a preference to “Ask me before downloading anything” is a good suggestion. We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.
And one thing Apple has now succeeded is doing is handing a propaganda coup to the beast of Redmond.
Nice work, guys.