Apple defuses Safari "Carpet Bomb"
Apple has closed four security holes in the Windows version of its Safari browser with the release of version 3.1.2. The fixes include the browser's "Carpet Bomb" behaviour of placing downloaded files on the desktop by default and without asking the user's permission. In association with with Internet Explorer – which, unlike other applications, looks for DLLs on the desktop as well as in the system folders – this behaviour can present a security hazard.
Apple didn't originally consider the behaviour of its browser to be a problem, but seems to have been forced into action by public discussion. Safari now asks users where to save a downloaded file. In addition, the browser now suggests a dedicated download folder by default. It is unknown whether Microsoft will release a patch to stop Internet Explorer's strange library detection habits.
The new version will be deployed using auto-update and is also available for manual download. However, not all internationalised versions of 3.1.2 are yet available.
- APPLE-SA-2008-06-19 Safari v3.1.2 for Windows, Apple update notes