Feeds

Apple's carpet-bomb Safari flaw can wreak havoc on Windows

A tale of two security teams

Internet Security Threat Report 2014

A researcher has created a proof-of-concept site that graphically demonstrates the risk Windows users face when using Apple's Safari browser.

Microsoft's security team already warned that a "blended threat" was so serious that Windows users should curtail their use of Safari until a security patch is available. This blog post from researcher Liu Die Yu makes it clear the warning was by no means overstated.

Clicking on this link with Safari using default settings automatically downloads a booby-trapped file onto a Windows user's desktop with no prompting. The next time the user opens Internet Explorer, the force-fed file automatically causes the notepad.exe application to launch and open a non-existent file. Of course, miscreants could choose far more nefarious code.

When informed that its browser downloads files with no prompting, Apple said it may get around to changing this behavior at some point, but then again, maybe it wouldn't. In other words, this is no big deal from a security perspective, so let's all move on. This demo suggests otherwise.

It would appear that IE automatically carries out instructions buried in odd files dropped onto a user's desktop, so it's certainly to blame here. Microsoft said as much when it warned of the blended threat. We also wouldn't be surprised if the flaw is fixed tomorrow, when Microsoft releases its monthly installment of security patches.

Contrast Microsoft's response with that of Apple. The company that foisted Safari on the unwitting masses of Windows users can't be bothered to fix a flaw that clearly puts them at risk. Yeah, IE is at fault for running strange files stashed on a user's desktop, but it's interesting to note that Safari is the only major browser that automatically downloads the rogue payload. Gives a whole new meaning to Apple's "It just works" mantra. ®

Internet Security Threat Report 2014

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.