It would seem to suggest that apple cannot fix or overt an OS vulnerability, i'll be very interested to see how quick MS take to fix this and get people back using a browser other than IE

... its got to be!

Everyone knows Apple doesn't produce buggy software with security holes. Praise the mighty Jobs and his Mactards.

Big inaccuracy in the software Safari is far from mainstream in its use, but it was snuck onto millions of computers by deceptive stealth! Most people still believe Safari is a trip to Africa where you see lions and tigers and elephants.

I'm in the uncomfortable position of agreeing with Microsoft on this issue. If a browser (any browser) allows a website to randomly download files without the user's explicit permission, regardless of the location, it is a security issue in my opinion. Having said that, I take issue with Microsoft's security advisory. The only thing they say is:

"What causes this threat?

A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user’s machine without prompting, allowing them to be executed."

OK, but how about telling us the how or why? Since it is a direct contributor which causes the blended threat, I don't think it's asking too much to want to know exactly "how the Windows desktop handles executables" and how that contributes to the threat.

When their own products were found to have exploits using flaws of Biblical proportions? No one saw them saying, "Use Java" or anything when ActiveX and IE screwed up.

"And before any Mac users decide this is an issue they can safely ignore, remember this: While Microsoft's recommendation obviously is limited to Windows users, Dhanjani says the carpet bombing scenario can play out on OS X, too."

After downloading, it ask YOU if you want to open or load it. Being a Mac user, I'll safely ignore it - meaning read the little pop-up and reject it.

It's funny how the same browser does not have the same problems on OSX and the more complete Konqueror does not do the same on GNU/Linux systems. Same code, different OS, where could the problem be?! Thanks for the FUD, M$, but security is not your strong point. The more of these problems they point out, the faster users will run for the exits.

That's right AC, blame M$. So what you're saying is that Steve Jobs put this in on purpose, so that more people would migrate from Windows to Macs? Sorry, not going to happen.

I love Bill Gates, being an IT guy he's given me a nice standard of living - not sure I'd get the same from Macs.

Blatantly anti i...anything.

"A TIGER??.... in Africa, sir? "....

I d say you were pulling my leg, only someone seems to have made off with it.

Read the article. This exploit works on Safari OSX as well.

Granted, on OSX any executable downloaded this way will be marked with an attribute which will warn you before letting you execute it... but Windows supports such a flag too. Safari just doesn't set it in Windows. No, this is Apple's fault.

Safari is the least secure browser in common usage in the world (see: Pwn2Own competition). Apple clearly doesn't take security seriously, what with outright ignoring threats like this, and suing other security researchers. Granted MS and others used to do that too, a long time ago, but they, and most observers, learned from the mistakes of that era.

another gold plated turd ...

It's funny how the same browser does not have the same problems on OSX and the more complete Konqueror does not do the same on GNU/Linux systems. Same code, different OS, where could the problem be?! Thanks for the FUD, M$, but security is not your strong point. The more of these problems they point out, the faster users will run for the exits.

really then how come IE and fire fox asks ??

I guess it's time for a tar&feathers facial job* to be applied to mr.jobsie-jobs.

It should prevent him from filling the world with cute, wiggly, big-and-watery-eyes crapware.

* think of it like some sort of martha-stewart-job applied to the king of metrosexuals.

I guess they had to recommend not using Safari since the only alternative was to recommend not using Windows, which, of course, would be the better choice. Actually, grats to Apple for exposing yet another Windows security hole.

If an independent source proves this vulnerability is the case then we need to take notice. As much as I dislike M$ not everything is FUD. Trouble now is that we've had to deal with so much &#%$ FUD that the situation is primed for a disaster if this one just happens to be for real. Better to be safe than sorry.

MS is doing the right thing (although I wouldn't doubt with a small degree of pleasure in this instance).

AC I don't agree that it's MS's fault because the vuln isn't present on other platforms. It's for the application developers to ensure compatibility and security for their app and how it interacts with the OS and clearly here they missed the mark.

"And before any Mac users decide this is an issue they can safely ignore, remember this: While Microsoft's recommendation obviously is limited to Windows users, Dhanjani says the carpet bombing scenario can play out on OS X, too."

Its odd but by browser is showing that bit of text at the end of the story. I'm running IE, so it would seem that your non MS browser is either not able to display it or you're too bust frothing at the mouth to read the whole article!

"It's funny how the same browser does not have the same problems on OSX"

Did you actually read the article? Specifically, this bit;

"And before any Mac users decide this is an issue they can safely ignore, remember this: While Microsoft's recommendation obviously is limited to Windows users, Dhanjani says the carpet bombing scenario can play out on OS X, too."

"And before any Mac users decide this is an issue they can safely ignore, remember this: While Microsoft's recommendation obviously is limited to Windows users, Dhanjani says the carpet bombing scenario can play out on OS X, too."

It downloads something onto your computer whether you want it or not, but asks your permission before opeining the file? So that's all right then.

(Yes I have used Macs. No; I wouldn't use Safari on a Mac either. I have this strange unexplainable distrust of any web browser knitted into the operating system)

Blame Microsoft for a problem with Apple??! How is it a Microsoft problem?

Apple wrote Safari no matter which OS it is on. Apple set it to automatically download. Apple apparently can't be bothered to fix the security hole.

I'm not a big fan of Microsoft, but I really can't see how they be blamed (this time)

This is just so funny, Microsoft a wee bit worried ? btw the only Tigers you find in Africa would be in Zoos. Tigers come from the Asian Areas, you Know, India, Russia, over that corner of the globe?

It's funny how the same browser does not have the same problems on OSX.

Actually it does.

"Most people still believe Safari is a trip to Africa where you see lions and tigers and elephants."

People will be sorely disappointed if they expect to see tigers on an African safari...

Mine's the leopard-skin one with the Thomsons gazelle in the pocket.

This wouldn't have been so bad, had most of the users that has safari installed on their windows machines actually CHOSEN to install it, instead of it being stealth-installed (same way iTunes gets installed if you are stupid enough to install QT!)

In this case Apple should be rightfully flamed.

//Svein

Anonymous Moron, more like.

How is it anyone's fault but Apple's if their web browser allows exe files (or any files for that matter) to be downloaded to the local disk without so much as a prompt? Allowing a site to drop one exe file on to a machine is a mistake since people may later think it's something else and run it. It also lets sites do this as many times as they want (the "carpet bombing" described in the article) which would certainly create a nuisance. I don't see how on earth you can blame Microsoft for that.

What are are Microsoft supposed to do, add extra prompts at the OS level whenever programs written by Apple's awful Windows software team attempt to write to the filesystem? (Actually, that might be a good idea. I just discovered that iTunes left every 50MB iPod firmware update I've ever downloaded in my *roaming* profile. Apple should be banned from writing Windows software at this point, with their track record, and I haven't even begun to describe the problems with Quicktime and iTunes.)

And did you not read the last paragraph of the article which says the issue affects OS X as well? "Dhanjani says the carpet bombing scenario can play out on OS X, too."

Finally, please, for the funking love of god, stop it with the overused and unorigianl "M$" cliche. It's soooo original. It makes you look sooooo clever and cool.

Ohh, a troll who did not read the last few lines before posting "Crimosoft Bad, OSX Good", unless he committed an ID 10 T error.

"And before any Mac users decide this is an issue they can safely ignore, remember this: While Microsoft's recommendation obviously is limited to Windows users, Dhanjani says the carpet bombing scenario can play out on OS X, too."

... meet the real Mr Black.

Since when have Apple EVER written software for Windows that does along with documented best pratice? Have you seen the Bonjour service? The one Apple call "##Id_String2.6844F930_1628_4223_B5CC_5BB94B879762##" and you don't even know it's installed with no description or uninstaller? What about the iTunes interface? Not to useful bit, but the disregard to use the currently set Windows theme.

The fact that Safari doesn't use security measures that Windows provides to secure a desktop should come as no suprise when refering to Apple "developers".

Safari had a problem like this on the Mac too.

If the file extension was one of the ones Safari would normally download without asking the file would be downloaded even if the file type specified in the file (this is seperate from the extension on OSX) meant it was executable. When Safari then tried to open the file the OS would do what the type was, not the extension. This meant a file with a .mov extension could actually be an executable.

That took some time to be fixed too if I recall.

I agree with MS here. No browser should ever download anything without my permission - if I want it I will ask for it, otherwise I don't want it.

Well, it's obviously Apple in the bad here for the downloading-without-asking thing, especially since it'll download several dozen times!

That's a bug, clearly. And I'm a big Apple fan, I write Apple software; this is a bug. At the very least a user-prompt should pop-up asking the user if they want to download the file. Better yet, a preference setting to ignore sites fi they try to force a download multiple times or something.

Saying that though, M$ share some blame because an executable shouldn't be able to launch itself (as some can on Windows), and even if it could, shouldn't be able to do any damage without the user inputting an admin password.

Rights management on Windows is abysmal; they've spent more time protecting the "rights" of content owners than the rights of Windows owners to not have files doing things they shouldn't! There's little to no form of file permissions at all, and this means a dubious file, if executed either by one of the many security holes, or by dumb user that thinks just cause it's called "Porn" and has a jpeg icon that it's a pretty pic, can then go on and wipe the file system, or install keyloggers or goodness knows what.

In summary, yes Apple screwed up here. But it's not a biggie on OS X, more annoying than anything; just means you have to delete a load of .exe's some dodgy site shat on you.

It's only on Windows it becomes a problem; there's a reason there's virtually no real viruses or trojans on OS X. It's not small user share, and it's not Steve Jobs' mythical RDF either. It's that OS X is pretty secure.

Windows on the other hand with it's >150,000 unique virii, isn't.

I don't think this would be a big issue for the stereotypical register reader, but there are users out there, Windows and MacOS alike, whos first reaction when presented with a shiny new file on their desktop would be to open it.

For a windows user double clicking it will run whatever is in that file, be it a trojan or one of those 'codec' files that certain websites want you to download to 'access' their content. Or possibly the new Indiana Jones trailer that your kid downloaded last night.

For a MacOS user the computer would ask them first if they would really want to open a file that came from the internet? after saying "yes, of course, how else am I going to find out what this shiny new file is?" the user will then execute trojan/'codec'/ Indiana Jones trailer (possibly in qt format).

On the bright side (at least for MacOs users) most of said trojans would proably be written with win32 in mind... so at least they'd (probably) just end up with being confused as to why their file wouldn't open. Unless they're unlucky enough to run bootcamp of course ;o) (that is, unless some crafty people see this as the perfect opportunity to get some malware onto Mac computers.. Does anyone know if safari identifies if it is a win/mac version?)

Safari Update might be in order. On both platforms.

Firstly, OSX doesn't tend to run the often malware infested .exe files. So having one or 1,000,000,000 of them on your desktop isn't an issue. Even if such a file could be run on the poor thing, it's not likely to be able to do much damage.

Secondly.. Have you ever seen an OSX users desktop? They seem to stick every single file they come across on the desktop! Literally thousands apon thousands of files. All their music, all their apps and associated files, all their videos, all their pictures, all their porn, all their documents. Not in individual folders, no. All of it on the desktop!

Every single Mac desktop I've seen has been like this.

So it wouldn't matter if they get hit by this bug, because they won't have a hope of noticing a few extra thousands files on their desktops!

So yes, Mac users are perfectly safe from this threat.

Someone uses Safari on Windows? I thought it was only idiots and people who didn't know better than to untick it when downloading Quicktime or iTunes?

Surprise surprise some more crap from Apple, rotten to the core.

Derek -- You clearly have not had the required minimum exposure to Monty Python. Please refrain from visiting tech sites until you have spent at least 96 hours (preferably in a row) absorbing their work. Their treatise on tigers in Africa is an absolute necessity in the modern world of IT. You may also find the BBC's seminal 4-volume treatise on the history of the Black Adder and the collected works of Dougals Adams greatly enrich your experience of the Register and sites like it.

I hate the way Apple is all lauded and they couldn't possibly do anything wrong. Apple's business practices are even worse than MS's

"I have a certain distrust of a browser that's knitted into the OS"

Well, the icon says it all :)

It's a minor issue compared to a number of others that ALL browsers on Windows have. If Microsoft is serious about security then they need to:

1. Immediately transition away from ActiveX, with as short a timeframe as possible.

2. Replace ShellExecute() with something similar to UNIX's exec(). They already HAVE the code, in the POSIX subsystem.

3. Eliminate "security zones" as a security model - there must be no circumstance in which the location of an object named in a web page automatically grants it privileges.

4. Provide an alternate API for browsers to use to find and run helper applications that is not based on the desktop helper application bindings.

All four of these are far bigger problems than having files downloaded without a prompt. Not only do they all provide paths to direct execution of untrusted code without user interaction, but they have all BEEN used for that purpose hundreds of times over the past decade.

I am not sure it's possible to implement a really secure browser on Windows without completely bypassing all of Microsoft's recommended APIs.

Yet more evidence of Microsofts click and install INNOVA~1 .. :)

"Dhanjani says the carpet bombing scenario can play out on OS X, too"

OK, what executables can run from the users Desktop and permanently alter system files.

"After downloading, it ask YOU if you want to open or load it. Being a Mac user, I'll safely ignore it - meaning read the little pop-up and reject it."

The only problem is, that most people aren't that clever. If your browser asks those questions for every file downloaded (remember the "carpet bombing" reference in the article?), then eventually, less experienced users will be coaxed into clicking "yes, I want to execute this file!" in a desperate attempt of making the question go away.

Wait a second..... don't you mean IE7?

Because that describes it perfectly.

Morons...

It's a little pointless to criticise Microsoft for releasing a security advisory when they are correct. That they wouldn't release a security advisory detailing the bugs in various other commercial products that run on Windows, a well-known PDF-reader for example, just shows that they're taking the opportunity to get a dig in at a rival too, something Steve Jobs can't really complain about as he's done it himself countless times.

It would be nice btw, to see just one Apple-related post where all people who can't afford a Mac didn't take the opportunity to vent their bitterness over the fact. I am a long-standing (14-years) Linux user, and a more recent Mac user (2 years), but I don't see the need to flame Windows users every chance I get.

Flame because I'm sure I will be.

Sounds to me like both MS and Apple are guilty of a design philosophy that has tiresomely demonstrated, over and over, its capacity to fubar almost any machine. To wit, doing the user favors he didn't ask for. We might call this the "oh you poor dear, here, let me give you a hand" philosophy. An everyday example is the Boy Scout who forcibly drags an old lady across the street when all she was doing was checking out the shirtless dudes on the construction site there.

Specific admonishments:

Don't auto-download anything unless the browser is going to render it.

Don't execute anything without the user explicitly asking for execution.

Don't install software on the sly. [This one is mere sneakiness, not a bumptious attempt to make your machine "user friendly."]

Don't design your systems for the clueless. The clueless are cluelesser than you can possibly imagine, so the only viable strategy is to assume a reasonable level of intelligence. [See footnote]

Don't, ever, *guess* anything. When you guess, no matter how clever you are, you *will* guess wrong a considerable amount of the time.

Don't, ever, try to guess what the user meant when he input wrong data. If it's wrong, it's wrong, just beep and say "error", and if Joe & Josephine Drooler-Sixpack don't understand, well, tough. As regards the internet in particular, it wasn't designed for idiots, it's not idiot proof, and don't try to fake idiot-proofness.

I leave it as a class exercise to determine which company, Apple or MS, is more often guilty of this class of design error.

I remember the good old days of Windows 3.1, that (iirc) didn't do you any favors at all. Ubuntu Linux also seems to be free of this mistaken idea.

IT? icon because it's simply good manners to refrain from imposing unasked-for favors on others, not just an IT issue. They don't appreciate it, and doing so implies you think you know someone else's business (or how they want to lead their life) better than they do—an extremely patronizing attitude. Miss Manners (tm) will back me up on this.

Footnote: since half the population has an IQ 100 or below, by definition, where does that leave us?

There must be a dozen people all shouting "Safari on OSX downloads files too" but I've never heard an OSX user complain about it. What's really funny though is that M$ is admitting an all too common remote execution problem Windoze has will wreck your machine. An OS that allows people to remotely execute code has more serious issues than brain dead dialogs.

When I tried a booby trapped page with Konqueror, I got a "save this to disk" dialog from KDE. On Windoze, that dialog would come from the OS, so there's not much Apple can do about it. I'd say this was intentional sabotage followed by FUD, a typical M$ action. Sorry fanboys, M$ has zero credibility and everyone is better off without Windows.

For it to be a security threat doesn't someone actually have to use this browser? I see no threat here what-so-ever.

I don't understand the rampant fanboyism in these comments... Microsoft admitted it was a flaw in the way it's operating system handles executables, and said that combined with Safari's fantastic idea to dump crap on the user desktop by default there was a security risk.

It's that simple... It's not Microsuck, Crimnosoft, M$ Dross, Appletard, Mactard, iDiots or Hippy-blood-sucking-creative-leeches-who-need-to-get-a-real-job. Pure and simply a shoddy design decision on Safari's part, coupled with a long term mishandling of executables on Windows' side.

Still No reason why a browser should ever be putting unwanted files onto my desktop, and sheer arrogance on Apple's part in thinking it's not an important change to make.

This is rather disingenuous, while Safari on OSX will allow mass downloads the files won't litter your desktop and executables wont be launched automatically, making this problem little more than an unlikely annoyance. Even if by some miracle an executable was launched automatically, OSX issues a prompt the first time an untrusted executable is launched.

I would imagine that UAC in Vista does the same kind of thing, preventing this from becoming even a minor security issue.

Assuming the unexpected happens, cleaning up from a mass download is incredibly easy. Any reasonably computer literate person should be able to remove every file (even if there are millions of them) with a single command from the finder, from the terminal, or from automator.

Windows users should be able to clean up just as easily from the command line so seriously, what's the issue here? Microsofts comments reek of anti-competitive bullshit :(.

because it starts to download, and doesn't ask what to do until the end... i think that's the real problem, and from this everything can only get worse...

Its a directory. It shouldn't be any different from any other directory except that stuff in it gets displayed as icons on the desktop (i.e. the thing that builds the desktop uses the stuff in it as input data).

What they're saying is that they still haven't got out of the habit of believing the file extension...if some random piece of data turns up with the right file extension turns up then they've got to execute it, regardless. RW's rules of the road ("Kettle, Pot Black?") above should be mandatory for any computer but, of course, it will "spoil the user experience" (or should I say "reduce the opportunities our clients have to push stuff at the poor sucker of a consumer"?). He's right, as well. Using Linux for web browsing is really boring. No fuss, no excitement -- you just get web pages.

When a download starts in Safari the 'Downloads' window appears. If you want to prevent a download all you have to do is click.

This would be impractical with a hundred downloads, but so would a hundred prompts. Likewise, approving downloads one at a time isn’t ideal when you want to download a lot of files.

I’d like to see Apple add a delay before the download starts to give users more time to respond. A cancel/prevent all button would also be fun.

In the end all Apple really needs to do is change the default download location and this problem becomes a non-issue. Microsofts claims seem to center around the fact that the files end up on the desktop.

All in all I think this is rather ridiculous in the light that the user is made well aware of the downloads and can easily stop them. This certainly wont stop me from using Safari or Webkit in general on Windows.

On a side-note, there are a number of download managers that take over from Safaris ‘Downloads’ window on OSX. It’s not unreasonable to think this could prevent mass downloads.

From the article:

"Windows users who visit a booby-trapped site with Safari could be forced to download..." (TRUE), "and execute..." (FUD), "malicious files with no prompting..." (TRUE, on windows), "Microsoft says".

Details on the actual vulnerability can be found here:

http://www.dhanjani.com/archives/2008/05/safari_carpet_bomb.html

The best FUD is hidden between two truths.

To reply to a comment, the default download area since Leopard on OS X is no longer the desktop, its the Downloads folder. Still, I don't even want that folder to be carpet-bombed by a malware site, so I use Firefox even on OS X; even though the chances of getting a virus are small. Besides, Firefox 3.0 RC1 is as pretty and small in memory usage on Macs as Safari, with more features! I can't wait 'till the release. :-)

The easy fix would be to change the default download location. In "typical" scenarios, it is the Documents folders (ie. My Documents, or in Vista, Downloads uinder the user's folder). Simply change the default to that, and worry about how to deal with the 15 or so users currently running the Safari browser on Windows later....

And for the record, as commented before, the "what do you want to do with this file" prompts do not, in fact, come "from" the OS per-say. The browser determines what to do with each file, unfortunately, based on extension. As any ie7 user knows, "Internet Explorer prevented this site form downloading a file to your computer" (or some such lingo)... that's not the OS doing that.. that is the browser.

just stop using Safari, just like Microsoft suggests, and all will be well on your computer... well, other than, maybe, the Windows OS... ;)

It's part of Apple's master plan...

Get Safari on every windows PC

Exploit a download vulnerability.

steal the users Credit Card details

Downloas OSx onto thieir comps and set it for "Auto install on next reboot"

Charge them for OSX

PayStar is an Apple Shell company to test this senario....

Apple makes crap computers, the only reason their OS loopholes don't come to light is because it hasn't sold as much as Windows. Lesser the number of users, lesser the problems that come to light. The one's who were stupid enough to purchase a mac, won't speak against it because that would mean accepting their stupidity.

Safari comes piggyback on another app and installs itself on a users PC without permission, makes itself the default browser and then downloads thousands of unwanted files to the desktop. That's exactly how a spyware behaves. MS is doing the right thing by asking user to not use Safari, in my view they should've taken a stricter action. Ideally Windows Defender should identify Safari as spyware and remove it from User's machines.

I'm a Mac user and I don't use Safari.

The reason for that is Hotmail doesn't work (not just me, a few other people I know also have this problem).

As people have stated OS X asks you whether you want to run an application that's been downloaded from the internet. Fine if you run OS X, not so fine if you run Windows.

My guess is Apple can't be arsed 'cause MS have managed to stop Hotmail working with OS X (unless you delete all cookies in which case you can sign in once before it goes into some infinite loop of redirection).

I guess it could be a bug in Safari but it's been about for a while (not that I've reported it; I just switched to Firefox instead - not that Firefox is what it used to be either) so I'd imagine it would have been fixed by now if it was.

Maybe that's the real story behind this little spat.

Tinfoil hat please.

Moseleys distant cousin not allowed to harry the infidels upp their Khyber pass?

According to Aviv Raff, the security researcher who reported this to Microsoft, the Safari vulnerability is combined with an old Internet Explorer vulnerability: http://aviv.raffon.net/2008/05/31/SafariPwnsInternetExplorer.aspx

The whole thing is a no-brainer. Opera, SeaMonkey (& Konqueror) all eclipse Safari, so what's the issue? "Why'd you allow it to install in the first place on a Windows system anyway?" is the question to ask.

What doesnt work with hotmail and safari?

I have no problems

Are you using the classic version?

Read this

This is the classic version of Windows Live Hotmail

This version works better with your browser. The full version of Windows Live Hotmail runs on Internet Explorer 6.0 and higher (make sure you check the system requirements before you install it). The full version also works on Firefox 1.5.

What would happen was every time I tried to sign in, it went into an infinite loop of redirections and never actually signed in.

To get it to let me sign in I had to delete all of the .live.com cookies I could find. Then it would let me in. Until I signed in again. Then the same thing would happen.

The only reason I switched to the super duper new fangled version was to stop it pestering me about using it.

A friend also had the same problem on his newly purchased Mac which we both solved by switching to Firefox.

I only use the hotmail account to sign up for things I expect to bombard me with crap anyway so it's not a massive problem.

In any case, I guess you answered your own question - the full version doesn't work with Safari.

Now, if the problem had presented itself to an average internet user they'd still be locked out as they'd never be able to get back in to switch to classic mode and probably wouldn't think to delete any cookies.

The system requirements omit the Mac and Linux totally, or at least I couldn't see them immediately (and now the message doesn't show at all) and yet the newer version runs fine on Firefox on this Mac - so, the system requirements don't seem to mean much at all anyway.

That said, MS do offer to let me upgrade to IE7 when using Safari, except when I get to the page there is of course no mention of OS X.

So erm, what can I say? When I managed to sign in the newer version worked fine with Safari, it was just getting signed in.

Maybe it works now. Maybe it doesn't? In the end it doesn't matter much 'cause I've got a few months of history on Firefox and won't be switching back to Safari unless Firefox does something to piss me off.

But you can trust me when I say something doesn't work.

Incidently, it's Firefox 2 I'm using the full version on, not 1.5 so it goes some way to proving you can ignore what websites tell you about the browser you should be using.

Most everyday users DO NOT CARE about the OS itself, they know it can be simply reinstalled or patched up, HOWEVER. if I were an attacker going for maximum destruction, I would go for the user's own files first, as malware doesn't need a system administrative password under any OS to do anything with the current user's files.

Type your comment here — plain text only, no HTML

And again a possibly usefull article is ruined by the MSvApple debate. If you REALLY want to be secure then Solaris is your friend. Macs aren't much more secure than Windows machines because the weakest link in the security chain is drooling on the keyboard opening things they don't understand. The Spyware and Virus share for the Mac is slowly growing, and they even had viruses back in the days of 7.5. The downfall of OSX and viruses with be Hubris on the part of the users. Yes you CAN be infected with a virus, you aren't immune. Someone will write a real nasty at let it out in the wild at some point. When that happens the "We dont get viruses" argument will be the downfall of the machines. I'll be smiling as i reinstall and attempt to recover people's data off HDD's so they don't lose any more of their data.

I love the way Mac Zealots instantly dive on MS before even reading the article since it simply CANNOT be a problem with Apple software right?

Look, we are all into software. It doesnt take a genius to realise you can write buggy/flawed code no matter what company you work for.

The article clearly states that the problem exists within BOTH Windows and OSX. This means that the root source is Safari, which the article also clearly states.

MS have done the right thing issuing a warning, its a security RISK. Risk must be managed. I would rather know about a risk than brush it under the carpet and hope it will go away (which sadly seems to be what Apple want to do).

I think this is a nice display of how Windows/MS have had a real rough ride over the years. They have been at the forefront of the market, getting all the glorious backlash that comes with it. They are used to dealing with this sort of thing.

Apple? Not so much. Its funny how now they are rising in popularity that suddenly more and more security holes are being found. It should come as no suprise, THEY HAVE NEVER REALLY BEEN TESTED BEFORE.

Yes, I'm really not into Apple in any way shape or form. But I wont be a @ss and slate them. They've screwed up and need to fix it, not ignore it, the same as MS or any other software house should.

'Nuff said.

"When I tried a booby trapped page with Konqueror, I got a "save this to disk" dialog from KDE. On Windoze, that dialog would come from the OS, so there's not much Apple can do about it. I'd say this was intentional sabotage followed by FUD, a typical M$ action. Sorry fanboys, M$ has zero credibility and everyone is better off without Windows."

Then how does FF deal with the "what do you want to do with this file" message? i am sure FF can work out that a file wants to download, why cant Safari on Win32/64 ask?

You would have to be a pleb to be running Safari anyway, when Opera is a far better, more secure, faster and more widely available browser.

Taglines and cliches everywhere with this one!

"far better, more secure, faster and more widely available browser"

lord knows how its better or more secure, we'd like proof please. its not faster and how in the world is it more widely available? on the internet??

Let me see if I have this right:

An OS written by Microsoft lets some random third-party application download as much crap as it wants onto the desktop.

The OS then allows the user to run an EXE that clearly isn't safe to run, without even politely asking the user if they are sure, and this has nothing to do with the OS?

Sounds to me like Apple should write an entire OS themselves, so that Safari doesn't have to depend on Windows ...

do a search for safariiswank, 'bout sums it up really.

Maybe the original poster relied on weebl's Kenya masterpiece as reference.

Wiki aint the only source of dodgy info...

Rah rah rah Apple suxs, MS is tha rulz!!! Apple is the baddy, boo!!! MS never fails..etc etc.. Stupid bandwagon jumping fanboys with their ever predictable responses.

Safari automatically downloading to OSX is hardly an issue, it's not like the OS will execute it and even if the user tried to, it wouldn't load as its not a Mac Exe. It downloading to Windows is annoying, and Apple should prompt the user over it though, but as others pointed out, the underlying issue comes from an existing Windows security exploit, shouldn't Microsoft have patched this by now? I don't think either party in this case should avoid blame for this.

Anyway, as a Firefox, Opera, IE, Safari user under Windows who works in the Website industry, both Safari and Opera totally own both IE and Firefox in performance, Firefox is probably the most secure (and Opera is good too), but Safari for all its faults still provides a better user experience than IE ever does and a UI menu design that is competition to Firefox too.

Even if Apple Software Update installed Safari onto peoples PCs when they didn't want it, nothings forcing them to keep using it, or even uninstalling it.

Anyhow, should Apple start issueing security warnings for the plethora of IE exploits which regularly come out? Because if its not Pot Kettle Black, then in all fairness they should both get the chance to do so!

Class action lawsuit anyone??

how he had to clean a friend's Mac of crud that had been downloaded onto it. He found a load of spyware on it. There IS stuff that will wreck Macs, it's just not as widely available. If anything, Mac users are more at risk than Windows users from the above. Who's more likely to ignore a security warning and just run a file anyway? At the end of the day it doesn't matter what you say to the user, if they think they're secure they'll double click it and run it. Windows users have faced it all before, if you see a file saying omg_look_now_amazing_game you wouldn't open it, but a lot of people would, and a lot more Mac users would than PC users, because they don't think they need to worry about security. Well hey, occasionally you do.

Let's be fair, Apple stuff looks pretty, but in general it's a turd in a dress. The fact that Apple hardware has unchangeable batteries so you have to replace them every year whether you want to or not, or the fact that they crippled BSD in order to make OSX. This is just another example of the turd in a dress history of Apple. I'm sure people who buy Apple gear are the same types who would make out with a drag queen...

I love the way like 95%+ of the flames are from AC :D

Way to stand up for yourself..

I can see there a couple of people here that share my attitude.

"I use what I use because I am an adult. I can make my own decisions. There are things here that need to be addressed (namely security) and they should be, by ALL parties concerned. However, my judgement is that the fault lies with [X]."

The rest of you just sound like a bunch of hormonal teenagers that are obviously not getting enough love from wherever and need to vent on here.

Repeat after me, "I am an adult, I AM an adult"..

Do more people ever actually write comments on here worth reading? I am still kinda new to TheReg, need to know whether or not to unsub :)

...reading the SHIT people post in these comments. Just WHO are you fanboys trying to impress with your constant drivel about which OS/Browser is better/faster/more secure/nicer?!

Each user likes DIFFERENT THINGS (fkin DUH) because they're INDIVIDUAL. I like Windows well enough, and I like Firefox well enough; but that's down to ME... I'm not about to slag anyone else off for THEIR choice of OS/Browser. What we have here is a problem between two products. Maker of product (1) has published some information about how it interacts with product (2). They even admit some of the responsibility for it. I think they did the right thing.

Now SHUT THE FK UP!!!

"Someone uses Safari on Windows? I thought it was only idiots and people who didn't know better than to untick it when downloading Quicktime or iTunes?

Surprise surprise some more crap from Apple, rotten to the core."

Still doesnt explain why anyone would install Itunes or QT in the first place, they are both steaming piles of crap.

"friend told me" obviously works for microsoft. What tosh! I've been servicing macs and supporting macusers for almost 15 years and I have never ever (put that in 120pt text) found a mac with spyware on it. Nor have I found one with a virus on it. If there is spyware on it it's windows spyware and windows crud. We had a brief interlude with a worm about 10 years back but it was nothing more than a hinderance, not a problem- and even then, I never saw it - just read about it - much the same as all the exploits that are currently "afflicting" macs all over the world.

And "turd in a dress"? Again what tosh! More like turd in a mouth. I just nip down to maplin, buy a battery for about a fiver and fit it in the mac and away it goes. I've never read such rubbish (well I have - mostly from phreeky and that other idiot beginning with M (can't remember who he is).

And finally, what have you got against drag queens? Are you frightened of them?

I work with plenty of PC users whose desktop matches that description. My own desktops (both mac and pc) have nothing on them.

I want an icon with both Jobs and Gates together with halos held up by horns - their companies are both in the wrong over this.

You clearly don't know your facts, the only Mac model with a non-replaceable battery is the MBA, all other laptops/notebooks have replaceable batteries. And the crippled BSD core of OSX still beats the Windows kernel hands down.

And yes.... all Apple users are secretly attracted to drag queens... LOL. Love the wintard resort to personal attacks combined with misinformed statements.

PS. If a person who uses Apple gear is someone into drag queens, what's a person whos likes to use both Windows and Mac OS then? :P

I for one liked the less-is-more interface Safari had on Windows, and tried it for a while. There is reason to want to use it on Windows, as Firefox has become bloatware by now (and I hate tabs), and only the totally clueless or insane would use IE. However, I stopped using Safari when I found that it had trouble with some websites, and insisted on installing QuickTime (which took me some effort to remove so that it would stay removed). Frankly, it seemed a little too buggy so I figured I'd wait through a few updates (which, while it aggressively checked for updates , after several months I never saw it actually *do* any updating, even though it was clear it needed some). Based on that experience, I've concluded that support is so bad on it and I just don't think about it (or use it) anymore. And I've refused to use QuickTime ever since the wars it had with RealPlayer over which would be the default-- both have been permanently banned from any of my systems due to their user-interest-overriding arrogance.

"Derek -- You clearly have not had the required minimum exposure to Monty Python. Please refrain from visiting tech sites until you have spent at least 96 hours (preferably in a row) absorbing their work. Their treatise on tigers in Africa is an absolute necessity in the modern world of IT. You may also find the BBC's seminal 4-volume treatise on the history of the Black Adder and the collected works of Dougals Adams greatly enrich your experience of the Register and sites like it."

I heartily agree! All techies should have a basic grounding in cynical and sarcastic sureal behaviour!

<<I've never heard an OSX user complain about it.>>

That's probably because Apple make them sign NDAs.

Seriously, is there any more defining characteristic that separates Mac users from PC users than the latter's willingness to talk publically about the problems with their computers and the former's close-mouthedness?

Yes, there are Apple-run forums in which Mac problems are discussed. Badly designed, almost-impossible to navigate forums in which one has to know exactly what one is looking for before one asks the search engine to find it.

But if a suggestion of a problem with a Mac is made outside the Apple Cloister, it is met with cries of indignation and the FUD banner is unfurled.

Burning batteries? Only a PC problem, idiot! Cooked thighs 'n' nuts? That's why we don't call Macbooks "laptops", dolt! Lid won't close? Hamfisted clown, this is precision equipment, not a PC toy! Power supply gone south for the third time in two years? Sign this NDA and we'll send you a new one!

As for the guy who sneered that PCs were only used by people who couldn't afford a Mac, well, I just finished repairing a "better" Mac for a family member. Every part needed could be summed up as "PC equipment with a 300% Mac tax added on". I think I began laughing hysterically when I found the cost of a new CMOS battery was nearly 20 dollars (as opposed to about four dollars for the PC version). Yes, the Mac is expensive for entirely understandable engineering reasons.

Then there was the innovative "suitcase" case design that placed the power supply, made - judging by the cost and weight - from depleted uranium, directly over the most fragile parts of the motherboard when it was swung open. One mis-step when removing or replacing the power supply (which burned out because for all the innovative engineering it no-doubt contained it was lacking any sort of fusible, replaceable element that would protect the electronics) and that was it for the wretched machine.

Wouldn't touch one with a barge pole now.

Yawn. Every few months we get something that supposed to bring OS X or Windows to its knees.

On Leopard, yes, I can still blindly stumble around the internet with no protection just as Mac users have been doing for 7 years. Still no sign of anything to worry about, no matter how many jealous nay-sayers wrongly cry "It's only because of the low market share". That argument is still a load of crap, but I doubt it'll ever go away.

Windows ain't all that bad now since XP SP2 (don't even dare go on the internet before that's installed). Not all that bad as long as you have AVG and download Windows' frequent updates.

I still prefer the carefree Mac experience, but to be honest, the vast majority of these scares are either nothing to worry about, because the chances of running into trouble are so remote, or a little marketing dig. And let's face it, Microsoft's 'Don't use Safari' announcement is more about that then any real security threat.

Actually they're breeding tigers in captivity in South Africa in an attempt to save them from extinction. They're planning on releasing them into the wild

http://www.lairweb.org.nz/tiger/release10.html

http://english.savechinastigers.org/node/243

The real story starts *next* month, on Patch Tuesday, when Microsoft's malware removal tool takes an elephant gun on Safari.

First: in OS X 10.5, the default downloads location is ~/Downloads, NOT the desktop. Second, OS X will not launch a downloaded executable without user interaction. Third, if a user does launch an application downloaded from the Internet, a prompt will display asking the user for permission to launch. Fourth, the system keeps track of the URL from which the file was downloaded. Fifth, the number of malicious executables which can run on OS X is low to nonexistent.

1 through 5 make this a pretty toothless threat on OS X. On Windows, well, that's a different matter.

Microsoft should change the way if allow any software installation a pc, malware or cookies or any sort..should quarantine in a secure temporary section until user allow it to install with the pc id/pw plus installation 4 digits code permit it into the pc system.

Man they make me laugh. Of course they want people to stop using another product that they themselves wish users to use. It's just so sad to hear them say it out loud. AHAHAHAHAA