Microsoft warned on Friday that Apple's Safari Web browser for Windows exposes PCs to a security hole that permits potentially malicious files to be downloaded to a user's machine and run without prompting the user.Microsoft's advisory comes two weeks after security researcher Nitesh Dhanjani warned both Redmond and Cupertino that Safari introduces a vulnerability in Windows and OS X machines, which allows any rogue Web site to "carpet bomb" the user's Desktop (Windows), or Downloads directory (Apple), with unwanted files (Safari is not installed by default on Windows machines).
Dhanjani said Apple indicated it wasn't in a hurry to fix the Windows vulnerability, if it ever got around to it. "Apple does not feel this is a issue they want to tackle at this time," Dhanjani wrote on his blog. "In my most recent email to Apple, I suggested that they incorporate an option in Safari so the browser can be configured to ask the user before anything is downloaded to the local file system.
View: Full Article @ The Washington Post
If they don't want to maintain Safari for Windows, they shouldn't have made it in the first place.
Amen. I love IE7. Team it up with IE7Pro and you've got the perfect browser!
As for this Safari flaw, I bet Apple are doing this on purpose to try and claim that Mac is more safer.
Safari automatically downloads stuff to the desktop from a site without asking your permission, because Apple feels that if you went to that site on purpose then the download is what you want. The stuff downloaded can't affect a mac computer anyway so all it can ever be for a mac user is a minor annoyance that can be stopped by going to a different site or turning off the browser. Also on a Mac, any code or files downloaded form a website have to be authorised before they will run, whereas on Windows, they just run.
On Windows this can be used to execute random code due to the IE flaws. So it's really a MS, Windows-based problem in the long run.
IE also marks downloaded files as "downloaded from the internet" which works the same way as on the Mac.
How? What IE flaws? Link please?
Also, I do get a dialog box when I start downloading something in IE - I can choose to either Run the thing after it is downloaded or Save it. Whatever the choice, after it is downloaded you get the usual "Internet Explorer Security Window" with the publisher information and real name of the application I am going to install. (And jus for the record, this last security window also appears when I download something through firefox ). So can you tell me when does code on Windows "just runs"?
**ahem** . . . it was really, really early. Not thinking straight.
This argument is flawed. I can use Safari to go to "Innocent Looking Web Site".
Turns out that the Web Site exploits the Carpet Bomb Apple Security Flaw on MacOSX and Windows,
and note that I went to that site without the intention of downloading anything!
LTD is now marked as "Blind Apple Fanboi"
This argument is flawed. I can use Safari to go to "Innocent Looking Web Site".
Turns out that the Web Site exploits the Carpet Bomb Apple Security Flaw on MacOSX and Windows,
and note that I went to that site without the intention of downloading anything!
LTD is now marked as "Blind Apple Fanboi"
I corrected myself above.
Its more like Apple are thinking 'if we let this flaw go unpatched for a while, people will blame Windows instead!'
Safari makes IE7 look completely secure.
Last edited by bbfc_uk on 01 Jun 2008 - 15:21
Uninstalling Safari from all of my machines.
Bummer! Was starting to like this browser too. Defintely a fast browser. Stupid bookmarks setup though.
As for Safari, Apple is still stuck in the old ways of "Security by Obscurity".
Apple takes this critical security matter so lightly.
I just hope that websites will take advantage of this flaw
and fill up the desktop with 1000 GigaBytes of useless files on MacOSX and Windows,
let's see how Apple would change their mind
about the urgency of the Carpet Bomb Safari Security flaw!
Apple certainly seems to be a malicious software vendor on the Windows platform -- I think it fits.
"Hi. I'm a Mac."
"And I'm a PC."
"And I'm an Apple Developer" *pulls out a gun and shoots PC in the leg.*
Last edited by MioTheGreat on 01 Jun 2008 - 16:44
MS shipped Windows XP in 2001 with five open ports. A security nightmare, even though we were well into the internet age.A Swiss cheese OS, really.
They've finally cleaned up their act - although it took XP years to get to SP3 where it's finally mature enough. And to their credit MS is in very recent memory being extremely open about flaws and careful to fix mistakes.
On the other side of the fence, to their credit, Apple adopted a Unix/BSD foundation for their OS, and there has not been one single virus for OS X documented in the wild. They've created the most stable, reliable, usable consumer OS on the planet.
But unfortunately, and perhaps to their chagrin in the near (or not so near) future, they have a rather cavalier attitude about security.
Let's keep things in perspective, shall we? It seems neither organization is either 100% successful or 100% honest when it comes to security.
And when it comes to dishonesty, underhanded tactics, Apple can (and perhaps has) learned plenty from Microsoft.
Perspective, people.
My take:
I'm surprised at Apple's statement. I find it inappropriate. Although the Windows architecture might present some challenges, Apple needs to step up its efforts to treat Windows users as well as it treats Mac users. If Apple's tactic is to encourage use of its software on OS X by serving up incomplete (and flawed) versions of it on Windows, then at least in part, it will result in a good chunk of users who are not only angry, but simply can't move to OS X wholesale for whatever reason.
Safari for Windows can be so much more. Unfortunately, Apple is treating it poorly, so much so that it might bite them back.
Scirwode
Wouldn't it be better to simply create outstanding products for Windows making people feel like,"Apple always releases quality software." ?
Macs don't have security issues
Not true. No one has ever emphatically stated that Macs don't face security risks and challenges.
Macs don't have viruses
Nothing reported in the wild that has infected any OS X user since OS X's inception. Although I'm sure one can be made in a lab in a controlled environment.
I think this approach will change as soon as malicious websites implement this and stat bogging mac and windows users with tons of downloads.
This kind of companies must be trusted about their security policies. Microsoft has always been informative (i don't think they are 100% though because info about some issues are best to be hide until they are solved) but Apple, as far as its Windows software concerns, always take a long time to fix their flaws.
I hope this doesn't get spread to users of safari but Apple has to fix this behavior in their browser.
Scirwode
why (or how) Microsoft have the right to talk about THIRD PARTIES SOFTWARE?. And, do you known the goodness about Internet Explorer browser?
Soon Microsoft will blame WOW, Counter Strike and BF. And, do you known about the goodness of xbox360 and Falo3 ?
Well, let's see... because it has a security problem, that's why. Have you ever heard any Microsoft partner or competitor talk about Windows? All major anti-virus software companies come to mind. Let's see who else? Oh yeah, "Hi, I'm a Mac... I'm a PC"...ring a bell???
And, do you known the goodness about Internet Explorer browser?
Yes. It's FUD that leads people to believe FireFox is more secure when in reality it has it's own problems as does Safari.
Now perhaps that FUD will subside
Microsoft has every right to be able to.
I mean, our beloved Apple (who can do absolutely no wrong!) does it all the time, so why can't Microsoft or any other company?
Is anyone at all shocked by this attitude? Really? Maybe if I type it in giant letters I can draw more attention to my comment! You know, because it's more important than the other ones
And Microsoft is about to release IE 8 Beta, so they don't want Safari to steal more market like they did with itunes...
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.