XP, Vista Vulnerability Triggered by Safari Browser
Microsoft continued to investigate what it called public reports of a remote code execution threat for XP and Vista when Apple's Safari Web browser is installed.
- By Jabulani Leffall
- June 02, 2008
Microsoft on Monday continued to investigate what it called public reports
of a remote code execution threat for Windows XP and Vista when Apple's
Safari Web browser is installed.
Over the weekend, Redmond issued security
advisory 953818, which the company made clear was not a patch, but a guide to
help potentially affected customers deal with the issue.
The desktop-based attack vector, known in the hacking community as a "carpet
bomb," exposes a security hole that allows downloading of potentially
malicious executables on a user or community desktop. These maladjusted executables
come disguised as normal Windows executables.
Redmond was quick to point out that the blame rests on neither the operating
system or browser, but on the interoperability of Windows and Safari.
"The [advisory] does not refer to vulnerability in either Safari or Windows
themselves," wrote Tim Rains, security response communications lead for
Microsoft, in an e-mail to Redmondmag.com. "Rather, it describes a blended
threat in which files may be downloaded to a user's machine without prompting,
allowing them to be executed."
According to Andrew Storms, director of security operations at nCircle Network
Security Inc., the Safari bug Microsoft referred to in its weekend advisory
is the same one uncovered
in mid-May by independent security researcher Nitesh Dhanjani.
"It looks like Apple declined to treat that as a security issue."
Meanwhile, researcher Aviv Raff said
in his blog that an earlier vulnerability in several versions of Internet
Explorer goes a long way in explaining the Windows side of the issue.
"I've decided to work with Microsoft on this issue," Raff wrote on
May 31, "because this combined attack also exploits an old vulnerability
in Internet Explorer that I've already reported to them a long, long time ago."
Microsoft's Rains added that the results from a combination of the default download
location in Safari and the way Windows handles its application executables may
trigger or exacerbate the potential vulnerability. However, he said, "Customers
who have changed the default location where Safari downloads content to the
local drive" on a workstation would not be affected by this issue.
Microsoft said it was keeping in close contact with the Apple security team as the investigation
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.