[LINK] Microsoft urges Windows users to shut down Safari

Bernard Robertson-Dunn brd at iimetro.com.au
Tue Jun 3 20:57:18 AEST 2008

Microsoft urges Windows users to shut down Safari
Responses from Apple and Microsoft typical of their rivalry and 
different approaches to security
Gregg Keizer 03/06/2008 08:19:53

In an unusual move, Microsoft on Friday warned Windows users to swear 
off Apple 's Safari Web browser until a patch is available that plugs 
holes that could let attackers to compromise computers.

One security researcher noted that Microsoft's public warning -- and 
Apple's silence on the subject -- are typical for the two rivals and 
illustrate their different approaches to security.

Friday, the Microsoft Security Response Center (MSRC) issued a security 
advisory for what it called a "blended threat" caused by combination of 
a bug in Apple's Safari Web browser and a vulnerability in how Windows 
XP and Windows Vista handle executable files placed on the desktop.

"Microsoft is investigating new public reports of a blended threat that 
allows remote code execution on all supported versions of Windows XP and 
Windows Vista when Apple's Safari for Windows has been installed," said 
the advisory.

The Safari bug Microsoft referred to is the same one disclosed two weeks 
ago by researcher Nitesh Dhanjani, which Apple declined to treat as a 
security issue, said Andrew Storms, director of security operations at 
nCircle Network Security Inc. "Clearly, that's what they're talking 
about," said Storms.

In mid-May, Dhanjani posted information about what he dubbed a "carpet 
bomb" attack made possible because Safari lacks an option to require a 
user's permission to download a file. Attackers, Dhanjani claimed, could 
populate a malicious site with rogue code that Safari would 
automatically download to the desktop.

Apple told Dhanjani that it did not consider the problem a security 
issue, but might fix it in a future Safari update. The next week, the 
anti-malware group Stopbadware.org criticized Apple for that position. 
"We encourage Apple to reconsider its stance and treat this as the 
security issue that it is," said the group in a statement May 19.

Then on Friday, Microsoft also fingered Safari as a problem. "Restrict 
use of Safari as a Web browser until an appropriate update is available 
from Microsoft and/or Apple," the company told users in the advisory.

But Microsoft also admitted that a successful attack would require not 
only leveraging the Safari bug, but also exploiting a vulnerability in 
its own software. "A combination of the default download location in 
Safari and how the Windows desktop handles executables creates a blended 
threat in which files may be downloaded to a user's machine without 
prompting, allowing them to be executed," said Microsoft.

In the advisory, Microsoft called out Windows XP -- including SP3, the 
newest service pack -- and Windows Vista as vulnerable, as well as 
Internet Explorer (IE) 6 and Internet Explorer 7.

Microsoft, however, did not delve into details of the Windows and/or IE 
vulnerabilities that could be combined with the Safari bug to hack PCs.

Aviv Raff, an Israeli security research, filled in some of the blanks. 
On Saturday, Raff said that a vulnerability in IE he had reported more 
than a year ago was the Microsoft side of the blended threat. "The 
combined attack requires IE," Raff said in a e-mail, answering questions 
about the source of the Windows-side flaw.

He would not, however, get specific about the vulnerability. In a post 
to his own blog earlier Saturday, Raff said he would not publicly 
disclose any details until Microsoft or Apple patched the problem.

But he did ding Microsoft for telling users that they could prevent 
attacks by changing the default download location for files retrieved 
using Safari. "I can only say that Microsoft's suggestion for a 
workaround is not enough," said Raff in his blog post. "There are other 
vulnerabilities which can be combined with the Safari vulnerability to 
execute code," he added in the e-mail.

In the end, Raff's best advice was similar to Microsoft's: "The current 
best solution is to stop using Safari until Apple fixes their 
vulnerability," he wrote on his blog. "Even if Microsoft fixes their 
vulnerability, Safari users will still be vulnerable."

Odd though it is to see Microsoft issue an advisory that calls out 
software not of its making, the incident is a good example of the 
contrast between Microsoft's and Apple's approaches to security 
disclosures, said nCircle's Storms.

"It's not very surprising to see Microsoft in the forefront here," he 
said. "They're known to issue advisories without having all the 
information [about a vulnerability] and without a patch. Apple, on the 
other hand, is completely different. Until they release a patch, they 
say nothing, and when they patch, it's a complete surprise.

"It's two different ways to handle it," said Storms, explaining that the 
vastly different approaches stems from their core customer base. 
"Microsoft has really embraced the enterprise, and decided that 
disclosure and a regular patch schedule is what the enterprise needs to 
support and maintain its products.

"Apple, on the other hand, appeals to consumers, and believes that for 
the majority of consumers, issuing an advisory without a patch would 
probably just create FUD [fear, uncertainty and doubt]," Storms concluded.

As Storms noted, Apple has remained silent on the Safari carpet bomb 
problem. Last week, it did not respond to a request for comment on its 
security team's decision against adding a user-approval option to 
Safari. The company was not available Saturday.

Microsoft did say that it was working with its rival, however. "[We] are 
working with our colleagues at Apple to investigate the issue," said Tim 
Rains, a product manager in Microsoft's malware protection center, in a 
post to the MSRC blog.

No timetable has been set by Microsoft for patching its software to 
block combined Safari-IE attacks. As it often does in security 
advisories, the company only said that it may issue a patch.


Bernard Robertson-Dunn
Sydney Australia
brd at iimetro.com.au

More information about the Link mailing list