Microsoft: Safari Flaw a Danger to Windows Users

Microsoft warned on Friday that Apple's Safari Web browser for Windows exposes PCs to a security hole that permits potentially malicious files to be downloaded to a user's machine and run without prompting the user.

Microsoft's advisory comes two weeks after security researcher Nitesh Dhanjani warned both Redmond and Cupertino that Safari introduces a vulnerability in Windows and OS X machines, which allows any rogue Web site to "carpet bomb" the user's Desktop (Windows), or Downloads directory (Apple), with unwanted files (Safari is not installed by default on Windows machines).

Dhanjani said Apple indicated it wasn't in a hurry to fix the Windows vulnerability, if it ever got around to it. "Apple does not feel this is a issue they want to tackle at this time," Dhanjani wrote on his blog. "In my most recent email to Apple, I suggested that they incorporate an option in Safari so the browser can be configured to ask the user before anything is downloaded to the local file system.

View: Full Article @ The Washington Post

Report a problem with article
Previous Story

Intel vs Nvidia: Licensing

Next Story

IETester Helps You Test Your Site

37 Comments

Commenting is disabled on this article.

I'm surprised people are fighting about IE vs Safari, when everyone knows you should be using Firefox...


And Microsoft is about to release IE 8 Beta, so they don't want Safari to steal more market like they did with itunes...

"Dhanjani said Apple indicated it wasn't in a hurry to fix the Windows vulnerability, if it ever got around to it."

Is anyone at all shocked by this attitude? Really? Maybe if I type it in giant letters I can draw more attention to my comment! You know, because it's more important than the other ones

FUD

why (or how) Microsoft have the right to talk about THIRD PARTIES SOFTWARE?. And, do you known the goodness about Internet Explorer browser?

Soon Microsoft will blame WOW, Counter Strike and BF. And, do you known about the goodness of xbox360 and Falo3 ?

why (or how) Microsoft have the right to talk about THIRD PARTIES SOFTWARE?.

Well, let's see... because it has a security problem, that's why. Have you ever heard any Microsoft partner or competitor talk about Windows? All major anti-virus software companies come to mind. Let's see who else? Oh yeah, "Hi, I'm a Mac... I'm a PC"...ring a bell???

And, do you known the goodness about Internet Explorer browser?

Yes. It's FUD that leads people to believe FireFox is more secure when in reality it has it's own problems as does Safari.

Now perhaps that FUD will subside

why (or how) Microsoft have the right to talk about THIRD PARTIES SOFTWARE?

Microsoft has every right to be able to.

I mean, our beloved Apple (who can do absolutely no wrong!) does it all the time, so why can't Microsoft or any other company?

Or at least pop-up a security window informing the user of the issue and giving them the choice whether to use Safari or not but we all know what would happen if they did... lawsuit anybody? :confused:

Here's my take: If Safari and Quicktime are supposed to represent the Mac experience on a Windows platform, then I now know exactly what it's going to be like if Apple becomes as widely used as Windows.

I think that says it all really. Mac OS X is stable because it is installed on controlled hardware. Take that away and I don't think Apple could even cope with all the problems that have plagued Windows, something which Microsoft has a lot of experience with, and credit to them have done generally well.

Scirwode

Way I see things, Apple will address this issue, bury it in a "Security Update", never acknowledge that it was a problem to begin with, and conclude by remarking that OS X is the most secure operating system ever.

This is unacceptable. Is their response is correct, why the heck they think this is not a security issue?

I think this approach will change as soon as malicious websites implement this and stat bogging mac and windows users with tons of downloads.

This kind of companies must be trusted about their security policies. Microsoft has always been informative (i don't think they are 100% though because info about some issues are best to be hide until they are solved) but Apple, as far as its Windows software concerns, always take a long time to fix their flaws.

I hope this doesn't get spread to users of safari but Apple has to fix this behavior in their browser.

Apple doesn't have security issues.... woops I mean Macs don't have viruses... whoops that is also infact a lie.... Apple do have security issues. Maybe people will have to rely on Microsoft being the one to fix the security issue via windows update... any file not downloaded from IE or another approved browser by microsoft could have the file marked and then has a security check pop-up dialog box - oh wait then Apple will probably argue that this is deliberately causing a nuisance to users to try and stop people using safari.


(plastikaa said @ #12)
Apple doesn't have security issues.... woops I mean Macs don't have viruses... whoops that is also infact a lie.... Apple do have security issues. Maybe people will have to rely on Microsoft being the one to fix the security issue via windows update... any file not downloaded from IE or another approved browser by microsoft could have the file marked and then has a security check pop-up dialog box - oh wait then Apple will probably argue that this is deliberately causing a nuisance to users to try and stop people using safari.

Macs don't have security issues

Not true. No one has ever emphatically stated that Macs don't face security risks and challenges.

Macs don't have viruses

Nothing reported in the wild that has infected any OS X user since OS X's inception. Although I'm sure one can be made in a lab in a controlled environment.

Microsoft should warn Safari users with an update to the Malicious Software Removal tool.

Apple certainly seems to be a malicious software vendor on the Windows platform -- I think it fits.


"Hi. I'm a Mac."
"And I'm a PC."
"And I'm an Apple Developer" *pulls out a gun and shoots PC in the leg.*

I am very glad that I use either Firefox or IE (mainly Firefox ) as my browsers!

As for Safari, Apple is still stuck in the old ways of "Security by Obscurity".
Apple takes this critical security matter so lightly.

I just hope that websites will take advantage of this flaw
and fill up the desktop with 1000 GigaBytes of useless files on MacOSX and Windows,
let's see how Apple would change their mind
about the urgency of the Carpet Bomb Safari Security flaw!

/Uninstalls Safari

Its more like Apple are thinking 'if we let this flaw go unpatched for a while, people will blame Windows instead!'

Safari makes IE7 look completely secure.

Yep,
Uninstalling Safari from all of my machines.
Bummer! Was starting to like this browser too. Defintely a fast browser. Stupid bookmarks setup though.

Is this talking about how Safari just starts downloading things and then once its done asks you if you wanted it? :\ Always thought that was abit weird.

(ecotrojan said @ #4)
Who choose this when IE is such a good browser ?

Amen. I love IE7. Team it up with IE7Pro and you've got the perfect browser!

As for this Safari flaw, I bet Apple are doing this on purpose to try and claim that Mac is more safer.

Good on Microsoft to be honest. How Apple can not see that this is a security flaw I don't know. All it would take is an inadvertent double-click on the wrong executable , or hitting return instead of delete with them all selected to induce chaos on your system. If everyone else can fix flaws like this, why does Apple think that they don't have to.

If they don't want to maintain Safari for Windows, they shouldn't have made it in the first place.