Microsoft issues warning about Safari under Windows
Microsoft is advising Windows users not to run Apple's Safari browser in its standard configuration. A security advisory by the vendor states that attackers can exploit an interaction between Internet Explorer and the Apple browser to execute arbitrary malicious code when a malformed web page is accessed. For the past two months, iTunes users have been offered the Safari browser as a regular update with their iTunes music software.
The advisory doesn't reveal any technical details. In particular the question whether the problem occurs when browising with Internet Explorer, with Safari or even with both of these browsers remains unanswered. However, the Redmond advice echoes the concerns of security experts who fear that Safari's much-discussed behaviour of downloading files to the desktop without user confirmation could be escalated to present a major security problem when combined with another vulnerability.
Microsoft recommends that users restrict their use of the Safari web browser. As a workaround, Safari can be configured not to place downloaded files on the desktop. The relevant option in the browser's preferences is "Save downloaded files to". Although Microsoft states that no exploits of this vulnerability have been reported so far, Windows users who have Safari or iTunes installed on their systems are advised to act immediately.
- Bug or feature? Apple's Safari Web browser, heise Security news