Threat remains despite Safari carpet bombing fix
Apple finally fixed a "carpet bombing" flaw in the Windows version of its Safari web browser, but security researchers warn that the consumer electronics giant's patch only provides partial relief from bugs involving the interaction of Safari and other browser packages.
A flaw that meant Safari automatically downloaded executable files based on IE zone settings was one of three vulnerabilties in the browser addressed in an update published by Apple on Thursday.
Upgrading to version 3.1.2 addresses all three bugs, according to Apple.
However, security researcher Billy Rios warns that the "carpet bombing" fix is only partial. If Safari is used on a system where Firefox is also installed it might be possible to steal arbitary files, he warns. The flaw, like the carpet bombing bug before it, involves a blended threat concerning how Safari and other browser packages work together. Rios is holding back details of the bug pending a release from Apple. ®