Microsoft has officially responded to the discovery of a “blended threat,” the design of Safari that allows a malicious Website to download and clutter the user’s download space with a myriad of unwanted files. The is the so-called “Carpet Bomb” effect. While Microsoft’s Security Response Center is working on the problem with Apple and is not calling it a vulnerability of either Windows or Safari, they have issued a security advisory which provides guidance to Windows customers to restrict their use of Safari until an update is available from either Apple or Microsoft.
Microsoft’s official statement, obtained by TMO is as follows:
“Microsoft is investigating new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed. Safari is not installed with Windows XP or Windows Vista by default: it must be installed independently or through the Apple Software Update application.
Microsoft issued Security Advisory (953818) to provide guidance to customers running Safari on the affected platforms to help them protect themselves. Microsoft is actively monitoring this situation to keep customers informed and will provide additional customer guidance as necessary. Security Advisory (953818) does not refer to a vulnerability in either Safari or Windows. Rather, it describes a blended threat in which files may be downloaded to a user’s machine without prompting, allowing them to be executed. This results from a combination of the default download location in Safari and how the Windows desktop handles executables. Safari is available as a stand-alone install or through the Apple Software Update application.
At the present time, Microsoft is unaware of any attacks attempting to exploit this blended threat. Upon completion of this investigation, Microsoft will take the appropriate measures to protect our customers. This may include providing a solution through a service pack, the monthly update process, or an out-of-cycle security update, depending on customers’ needs.
Microsoft and Apple security teams are in contact with each other and are working together on this issue. Microsoft has been in contact with the Apple security team since the finder reported the blended threat. Microsoft is always willing to work with security researchers in the interest of better protecting customers. While some details on this issue have been publicly disclosed, we are working with the researcher on this issue as part of our active investigation. To minimize risk to computer users, Microsoft continues to encourage responsible disclosure. By privately reporting vulnerabilities directly to a vendor, it helps ensure that customers receive comprehensive, high-quality updates while reducing the risk of attack.
As always, the Microsoft Security Response Center (MSRC) will stand ready to mobilize its teams to investigate reports of possible vulnerabilities and the company will take appropriate action to protect its customers, as needed.”
The security advisory from Microsoft recommends that Windows users should “Restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.”
The problem was first reported by security researcher Nitesh Dhanjani in mid-May. At the time, Apple told Mr. Dhanjani that the problem was not a problem they wanted to tackle at that time. Subsequently, StopBadware.org urged Apple to deal with the problem quickly since unwanted, malicious files on a computer could, at some point, be accidentally executed by the user.
Safari exhibits the same behavior on a Mac.
The plea by StopBadware.org and the security advisory by Microsoft indicate how seriously these organizations take the problem, but the situation also reveals how disadvantageous it is to ignore a potential security threat even if Apple’s prevailing philosophy and priorities differs from that of others.