As if Windows users didn't already have enough good reasons to avoid Apple's Safari Web browser, Microsoft this week provided another, more important one: It can be used to trigger a so-called "carpet bombing" attack on users' PCs and running applications that could be used to take over the machine.
According to the search researcher who discovered the problem, the Safari carpet bombing flaw is actually one of three separate security issues he found in the browser in mid-May. Nitesh Dhanjani says he reported the flaws to Apple at that time, and Apple has pledged to fix one of the other flaws he discovered, but does not feel the carpet bombing flaw is "security related."
Dhanjani disagrees. "It is possible for a rogue Web site to litter the user's desktop \[with executable applications\]," Dhanjani writes in a blog post describing the flaw. "This can happen because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource. Safari downloads the resource without the user's consent and places it in a default location. The implication of this is obvious: Malware downloaded to the user's desktop without the user's consent."
Apple's response to Dhanjani suggests that the company isn't interested in tackling this problem anytime soon. "We can file that as an enhancement request for the Safari team," Apple told him. "Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated."
On Friday, Microsoft announced that it was taking the flaw more seriously because it is a "blended threat" that combines a Safari flaw with how the Windows desktop handles executables. "Microsoft will take the appropriate measures to protect our customers," a Microsoft security advisory reads. "This may include providing a solution through a service pack, the monthly update process, or an out-of-cycle security update, depending on customers' needs."
Microsoft recommends a workaround while it works on a solution: Reconfigure the default location where Safari downloads content to the local drive, as doing so will prevent the flaw from being exploited. I have a more elegant solution: Simply avoid Safari all together and use a browser that's written by developers who understand the security nuances of Windows better. I recommend Mozilla Firefox, but Internet Explorer 7 is acceptable as well.