Microsoft has issued a “Microsoft Security Advisory (953818), ‘Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform,'” that states:
Microsoft is investigating new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed. Safari is not installed with Windows XP or Windows Vista by default; it must be installed independently or through the Apple Software Update application. Customers running Safari on Windows should review this advisory.
At the present time, Microsoft is unaware of any attacks attempting to exploit this blended threat. Upon completion of this investigation, Microsoft will take the appropriate measures to protect our customers. This may include providing a solution through a service pack, the monthly update process, or an out-of-cycle security update, depending on customers needs.
Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.
Suggested Action: Restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.
Microsoft has tested the following workaround:
• Change the download location of content in Safari to a location other than ‘Desktop.’
• Launch Safari. Under the Edit menu select Preferences.
• At the option where it states Save Downloaded Files to: select a different location on the local drive.
MacDailyNews Note We have also tested a workaround (and it succeeds beyond your wildest dreams):
• Get a Mac.
Full advisory here.
[Thanks to MacDailyNews Reader “Bizarro Ballmer” for the heads up.]
MacDailyNews Take: This is like Typhoid Mary advising on food safety.
“But such comparisons are not really to the point. Apple ought to be taking security far more seriously than it seems to be doing.”
All you have to back that up is your opinion about how Apple is handling one tiny little issue that really is Microsoft’s problem! You could reasonably make this claim if Macs were under siege the way Windows is, but you can’t even point to one real OS X virus! And no, a couple of lame trojans in nearly eight years don’t count.
“There’s a sucker born every minute” wasn’t W.C. Fields. That was P.T. Barnum.(*) W.C. Fields said “Never give a sucker an even break.”
* Well actually, P.T. Barnum didn’t say it either, although everybody says he did. It was Barnum’s competitor, David Hannum.
See http://www.historybuff.com/library/refbarnum.html
MS and Ford deserve each other. Inefficient crap churned out by bloated, blind behemoths.
Since vista, M$ has lost any credibility. People won’t even listen to that FUD. In contrary, they even may think: “Well, if M$ says it, it must be again a damn lie… let’s do the oposit!”
wow, the inventors of the software vulnerability advise against someone else’s software? impressive. they must have to carry their balls around in a wheel barrow.
Microsoft also advises that if you’re driving 100 miles per hour through the heart of town in a flaming parade float you should wear your seatbelts.
http://rip-ragged.com/dross/index.php/2008/06/android-sprintsamsung-instinct-market-share-iphone-lesbian-porn/
This is a thinly veiled attack on Safari. Never mind the fact that activex can easily be exploited in IE unless the most stringent settings are used. I consider Safari my “safe” browser and save IE for only when compatability is needed.
And Typhus Fever is really caused by a bacteria, not a virus..
” width=”19″ height=”19″ alt=”raspberry” style=”border:0;” />
This is great – in the Microsoft advisory, under Suggested Actions, it says:
“Customers who are interested in learning more about this feature should review Microsoft Knowledge Base Article 953818”
We always joked about Microsoft calling bugs features, but I guess they actually do!
WARNING! Readers with short attention spans, please avert your eyes. (-_-)
Reality Check sez flame provoking rubbish.
ApplePi sez flame provoking rubbish.
-> HAHAHAHAHA! Thanks for the amusement.
steve sez something useful:
“BUT remember Apple sucks at security patches as in the 3 iCal security patches that Core Security was working with Apple for 7 months on getting patched and Apple just kept giving excuses to fix. Apple just plain and simple SUCKs at fixing security patches. They could fix these problems in a week if they wanted…. Some penetration testers podcasters have commented on how BAD Apple is at fixing vulnerabilities. Take that what 20 Billion in the bank and hire 4 people that find vulnerabilities. and fix them ASAP.”
Chazzz sez something useful too:
“I absolutely agree. If Apple is to be the computer of choice for the consumers, then they better have a very robust virus search and destroy team. Let’s face it consumers, small business, etc. don’t have IT depts to rely on. We’re relying solely on Apple, and they better be up to the task or risk losing the gains they have made.”
BACKSTORY:
Symantec, the maker of the worst anti-malware application for Mac OS X, started the Anti-Mac Security FUD Campaign back in August, 2005. The gist of their argument was that Mac was returning to popularity and therefore was going to be FLOODED with malware! OMG! And no flood appeared. McAfee joined in, certain trolling persons at SANS Institute joined in, as well as some sleezy ‘Month Of Apple Vulnerabilities’ hackers. Every time there was a proof of concept malware announced, they all screamed BLOODY MURDER! And no flood appeared. Oh look, an actual piece of malware did show up in the wild that required social engineering to get a computer user to perform the installation! Zzzzzz.
Despite the stoopidity of the FUD mongering and the hoping, hoping, hoping that Mac OS X would get slammed with malware so all the smirkers could smirk some more, it did do one important thing that somehow few people noticed. It got Apple off their lazy backsides.
(What, a criticism of Apple? Unbelievable! NOT! The people MOST critical of Apple are Apple users themselves. WAKE UP!)
If you go back and thrash through the security fixes Apple has provided over the years, comparing those they provided previous to the FUD campaign versus those after, you’ll see the increase is astronomical.
Of course Apple can do A LOT better, as in doing their own in house vulnerability testing instead of having to wait upon the good graces of professional and hacker vulnerability hunters.
But Apple require some credit and admiration for not being apathetic to security. It took an electric cattle prod to get the old cow moving, but she’s running at a fair clip at the moment. This is when you clap and cheer and give her some encouragement. Telling her to do better is a great idea as well. But you don’t threaten to whip the cow and tell her to get off her butt when she’s already off in the other field. You’re talking to yourself.
“Get a Mac” is a work around?? What nonsense is that? Some people actually have to go out and EARN the money to buy a new computer. Others have software that won’t run on a Mac without also having to buy a copy of Windows (another expense).
No work around should be necessary. This hole needs to be fixed. In the mean time, I will continue to use FireFox, the best browser on the market, IMHO.
@ Reality Check:
Check out this statement from:
http://www.internetnews.com/security/article.php/3750471/Microsoft+Warns+of+Apple+Flaw.htm
“It turns out that if this flaw is exploited in combination with a second unpatched bug in Internet Explorer…”
Interesting how MS didn’t advise anyone to stop using IE.
Continuing:
“…attackers can run unauthorized software on a victim’s computer, according to Aviv Raff, a security researcher. Raff says he originally reported the IE flaw to Microsoft more than a year ago, and then told them about how it could be combined with the carpet bombing bug just over a week ago.”
Catch that? This flaw has been present on IE for a year, and still isn’t patched…
…yet Apple Safaris is now being aggressively berated for being the “bad partner” in this blended threat.
-hh
Man oh man I did not realize how full of holes Safari really is. 17 fixed already on the PC iteration and 12 on the Mac. Swiss cheese anyone? Or maybe some wine?