Microsoft warned on Friday that Apple's Safari Web browser for Windows exposes PCs to a security hole that permits potentially malicious files to be downloaded to a user's machine and run without prompting the user.
Microsoft's advisory comes two weeks after security researcher Nitesh Dhanjani warned both Redmond and Cupertino that Safari introduces a vulnerability in Windows and OS X machines, which allows any rogue Web site to "carpet bomb" the user's Desktop (Windows), or Downloads directory (Apple), with unwanted files (Safari is not installed by default on Windows machines).
Dhanjani said Apple indicated it wasn't in a hurry to fix the Windows vulnerability, if it ever got around to it.
"Apple does not feel this is a issue they want to tackle at this time," Dhanjani wrote on his blog. "In my most recent email to Apple, I suggested that they incorporate an option in Safari so the browser can be configured to ask the user before anything is downloaded to the local file system.
...
Microsoft evidently considers it a big deal: The software giant said in its advisory that it may release a security update to address the issue. Microsoft said the problem stems from a combination of the default download location in Safari and how the Windows desktop handles executables, which creates a situation in which files may be downloaded to a user's machine without prompting and allowing them to be executed.
Microsoft says that in the meantime, Windows users who wish to continue using Safari despite the vulnerability should change the default download location of content in Safari to a location other than 'Desktop'.
No comments:
Post a Comment