Apple's Safari web browser, with its compass-styled logo, suggests the excitement of exploring the "unknown worlds" of the Internet. Unfortunately, you might discover the newest colony of a well-known continent, Malwaria, instead.
Friday, Microsoft rolled out a high-profile security advisory (953818) for Windows XP and Vista users who also use Apple's Safari browser. Microsoft refers to the security risk as a "blended threat," meaning that multiple methods of attack are performed automatically: in this case, Safari automatically downloads files without asking for your permission.
The workaround offered by Microsoft is to change the default location for downloads away from the current user's Desktop folder to a different folder, but Microsoft also recommends that users restrict use of Safari until either Safari itself or Windows is updated. To find out why you're better off not surfing with Safari for now, read on.
Analysis of a "Carpet Bomb" Attack
According to Nitesh Dhanjani, who first brought Apple's attention to this and two other security problems with Safari in mid-May, Safari lacks a critical feature found in other web browsers:
...it cannot be configured to obtain the user's permission before it downloads a resource. Safari downloads the resource without the user’s consent and places it in a default location (unless changed).
It's all too easy to create a web page that will perform what Dhanjani refers to as a "carpet bombing" of Safari's default download folder with any type of file the website wants to serve up, including malware (see the article for sample code and a great picture of a carpet-bombed Windows desktop).
...this combined attack also exploits an old vulnerability in Internet Explorer that I've already reported to them a long long time ago.
Raff points out that Microsoft's suggested workaround simply means that Safari would "carpet bomb" a different folder if it was tricked into doing so by a hostile website. That's not much of a workaround. Ironically, Apple's not treating this shortcoming as a security issue(!), despite plenty of reasons it really is (see "Why Apple must fix Safari ‘carpet bombing’ flaw immediately" for details).
But Wait, There's More (Trouble, That Is)
Dhanjani also reported two other security issues with Safari:
Safari's lack of a "sandbox" feature for local resources (this makes running HTML files with client-side-scripting a potential security issue)
A vulnerability that would enable files to be stolen remotely from a system running Safari (this one Apple's working on right away, thankfully)
It's Your Move
Here's what makes sense:
1. If you're already using Safari, stop running Safari until a fix is available for the "carpet bomb" and other vulnerabilities.
2. Whether you use Safari or other Apple products, when you see the Apple Updater offer you Safari, just say no for now, but note the version number.
3. Check the resouces in this article to determine when Safari's safe to use again.