Microsoft is sounding the alarm in Apple's camp, warning that a previously disclosed flaw in the Safari browser could spell trouble for Windows users. Another flaw in Internet Explorer makes the situation worse.
Apple is not treating the blended threat as a security issue, but as a further reason to raise the bar against unwanted downloads. Who will take responsibility for fixing the issue remains to be seen.
Security researcher Nitesh Dhanjani originally disclosed the Safari bug on May 15. The flaw allows attackers to dump executable files on a victim's desktop, a tactic known as "carpet bombing."
If the Safari flaw is exploited in combination with an unpatched bug in Internet Explorer, it opens the door for attackers to run unauthorized software on a victim's computer.
"Microsoft is investigating new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple's Safari for Windows has been installed," Microsoft said.
How Big is the Threat?
Ironically, the combined threat has probably become greater thanks to media attention generated by the spat between Microsoft and Apple on this flaw, according to Graham Cluley, a senior technology consultant at Sophos.
"The good news is that Safari still has a small market share amongst Windows users compared to Internet Explorer and Firefox, and so most cybercriminals are unlikely to try and take advantage of it," Cluley said. "However, there are bound to be some in the Internet underground who will be tempted to see if they can exploit and widen this security hole, to see what is possible."
This isn't, of course, the first time eyebrows have been raised about Apple Safari on Windows. Recently Apple was criticized for pushing Safari onto Windows users of iTunes rather too aggressively.
What Will Apple Do?
To its credit, Microsoft has built up a track record for taking security flaws in its products seriously, and it's likely that in due course they will issue an update to mitigate against the IE portion of the problem, Cluley said.
All the noises from Apple so far have suggested that it does not believe the issue to be a security problem. Unfortunately, Cluley said, the results of the exploit (users find their desktops filled with icons) are no different from the type of thing we see from spyware and adware merchants on a regular basis.
"It would be good if Apple could develop a fix in a timely fashion for this problem," Cluley said, "but it remains to be seen how quick they will be."
Apple was not immediately available for comment.
|