Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Urges Windows Users To Shun Safari

Posted by CowboyNeal on from the big-surprise-there dept.

benjymouse writes "The Register has picked up on a recent Microsoft security bulletin which urges Windows users to 'restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.' This controversy comes after Apple has officially refused to promise to do anything about the carpet bombing vulnerability in the Safari browser. Essentially, Apple does not see unsolicited downloads of hundreds or even thousands of executable files to users' desktops as being a security problem." Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you.

24 of 502 comments (clear)

  1. Safari should require prompting on Windows by hxnwix · · Score: 1, Informative

    Microsoft is saying that Windows is a very different sort of environment. You can't allow convenience on Windows - it's just not secure enough.

    1. Re:Safari should require prompting on Windows by zaydana · · Score: 2, Informative

      That may be so, but even then Apple probably would have been wiser to choose a folder other than the desktop. Its just too easy to accidentally click a file on the desktop, or for some less computer literate user to see a .exe on their desktop and click it, wondering what it is.

      You'll notice that on the latest installment of OS X, safari downloads to a Downloads folder, not the desktop.

  2. Such as...? by Animaether · · Score: 5, Informative

    A list of actual drive-by vulnerabilities in current Internet Explorer (name-calling went out of vogue when you reached the age of 15, man. You are at least 15, right?) that allow for code execution on the client to substantiate your claim, please.*

    Now if you want to point fingers, visit that Dhanjani link and read about the vulnerability he's not disclosing, as a courtesy to Apple; "The third issue I reported to Apple is a high risk vulnerability in Safari that can be used to remotely steal local files from the user's file system [...] it is a high risk issue affecting Safari on OSX and Windows". There hasn't been an update to that in the past 2 weeks, implying that it has not yet been fixed.

    The Slashdot headline is pure flamebait and you took it.

    1. Re:Such as...? by gmuslera · · Score: 2, Informative

      Isnt like Microsoft never installed anything new and with potential vulnerabilities thru Windows (or other of their products) updates. IE7, Silverlight, Desktop Search, to name a few of the latest cases in a probably long list. And many could be called by now plain malware or spyware, style or not. And if ever one of those pushed products by microsoft had a code execution vulnerability (odds are not exactly low), we would be in the same case as Apple. And then my grandparent comment fits as a glove, again.

      About Apple refusing to fix, the right phrase was refuse to promise, and in other posts you see that they will do something about it.

  3. Re:Wow. Just wow. by Darkness404 · · Score: 2, Informative

    Safari's core (KHTML/WebKit) is open source and has been used in some F/OSS projects, most notably Konqueror.

    --
    Taxation is legalized theft, no more, no less.
  4. prefs by Beer_Smurf · · Score: 3, Informative

    You can tell Safari to put downloaded files where ever you want.
    So they don't have to be on the desktop

  5. Re:Wow. Just wow. by leothar · · Score: 2, Informative

    The browser (Safari) is proprietary. The rendering engine (WebKit) on the other hand is open source with a nice BSD license.

  6. Re:Wow. Just wow. by orasio · · Score: 2, Informative

    Just to clarify the cause effect relationship, that is not clear enough for me in the parent.
    KHTML, that is Konqueror's core, is open source, free software, and easily reusable.
    That's why Apple forked the project and uses it as a part of Safari.

  7. Re:Oh Microsoft... by Anonymous Coward · · Score: 1, Informative

    pot

  8. Re:Wow. Just wow. by 99BottlesOfBeerInMyF · · Score: 4, Informative

    Just to clarify the cause effect relationship, that is not clear enough for me in the parent. KHTML, that is Konqueror's core, is open source, free software, and easily reusable. That's why Apple forked the project and uses it as a part of Safari.

    Just to clarify your clarification. Apple forked KHTML, which was developed by the Konquerer team, and named their fork WebKit, which is also free and open source. Since then, the developers of KHTML have decided to abandon KHTML in favor of WebKit themselves and are integrating WebKit into Konquerer. So Safari and Konqueror's rendering engine is named 'WebKit' not 'KHTML'.

  9. Re:Oh Microsoft... by Vectronic · · Score: 3, Informative

    And what, you are trusting (Vista/Server2008 I would assume?) simply because there isnt a list of vulnerabilities that have been exploited that doesnt have an update/fix for it?

    Side Note: Im typing this from XP and I have a another computer in the room next to me currently booted into Vista.

    Did I say Microsoft is bad? No.

    Besides, obviously a vulnerability is not going to be found if its already patched on the system being tested. Again quoting you "Please list some actual 2008 vulnerabilities that were exploited before being patched." But you are neglecting the fact that en masse there are alot of people who dont update/patch their machines every day.

    Futhermore, a lot of vulnerabilities are found by third parties and Microsoft is notified by them, not necissarily by microsoft employees themselves.

    And finally, because it hasnt been reported, does not mean they do not exist. Assuming something is secure without proof is far worse than assuming its not.

    Found by Microsoft, currently unpatched*:
    http://secunia.com/advisories/29867/

    Found by non-Microsoft, currently unpatched*:
    http://secunia.com/advisories/29458/

    * According to them.

    Im sure I could find more, but, ive fed the troll enough as it is.

  10. Re:Accidentents. by Anonymous Coward · · Score: 2, Informative

    The feature is built into Windows Explorer too. However, an application that writes files has to mark the files as "from the internet" - otherwise Windows doesn't know where the file is from: it just knows that an application created a file. All they have to do is create their application properly. The way this is implemented it by adding a "Zone Identifier" alternate data stream (supported in NTFS, not FAT32). Any application can do this, and it is documented in MSDN how to do it. It isn't Microsoft's fault that Apple isn't coding correctly for Windows.

  11. Re:Accidentents. by x_MeRLiN_x · · Score: 4, Informative

    When he says "recently", he means 6th August 2004; the release of Windows XP SP2.

  12. Re:Accidentents. --lol by DAldredge · · Score: 4, Informative

    From the linked article "Apple does not feel this is a issue they want to tackle at this time. In my most recent email to Apple, I suggested that they incorporate an option in Safari so the browser can be configured to ask the user before anything is downloaded to the local file system. Apple agreed it was a good suggestion: ...the ability to have a preference to "Ask me before downloading anything" is a good suggestion. We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated. [credit to BK have-it-your-way Rios for suggesting the term "Carpet Bomb" to describe this issue]."

  13. Re:In Apple's defense by recoiledsnake · · Score: 2, Informative

    isn't the main reason for Safari being on Windows is so that developers can test web pages for iPhone compatibility? OTOH, there's the whole thing with Apple Update on Windows pushing Safari at you, so that must no longer be true. No. It isn't. Look here. And before you say it was an oversight, remember, Jobs goes over every word and picture of his presentations with a zeal bordering on OCD.
    --
    This space for rent.
  14. Re:Accidentents. by Quantumstate · · Score: 3, Informative

    No the danger lies in the fact that apple didn't code safari to mark the file as being downloaded from the internet. Any application could write executables such as an installer from a CD it would just confuse people to tell them that those files were downloaded from the internet when they weren't therefore the browser needs to mark the file to say it is downloaded from the internet but guess what the safari programmers didn't do? Hence it is all apples fault.

  15. Re:Accidentents. by Anonymous Coward · · Score: 1, Informative

    But it's not a security problem - the security problem is that Windows Explorer doesn't warn the user before running an unknown .exe. What exactly is a "known" exe then? One for which you've received the warning and clicked "don't warn about this exe again."
  16. Re:Accidentents. by recoiledsnake · · Score: 4, Informative

    Wrong, Apple has been installing Safari on Windows users machine disguised as an update to iTunes/Quicktime. And iTunes has hundreds of millions of users. Even if 5% of them use Safari, it's a pretty big demographic.

    --
    This space for rent.
  17. Re:Accidentents. by MobyDisk · · Score: 5, Informative

    It's funny that you say that, because on my MacBook Pro it is the exact opposite. Safari does this and Internet Explorer does not.

    Under OS X, when you click an installer image downloaded by Safari it says something like "The application 'Whatever' was downloaded from the Internet on {date}. Are you sure this is safe to open?'

    I sometimes use IE on Windows (for testing sites I develop) and I've never seen a comparable message from Internet Explorer.

    Maybe you are talking about IE on Vista and Safari on Windows?

  18. Re:Accidentents. by stewbacca · · Score: 4, Informative

    I think what he is saying is that OSX has a built in download manager, regardless of browser, so the user indeed DOES have to authorize downloads. If an OSX user gets carpet bombed, it's because they said "ok" at some point. You haven't been dumbed. You should try to be less snarky if you want people to take you more seriously. And try some capital letters while you are at it ;-)

  19. Well, also windows to blame by Vexorian · · Score: 2, Informative

    It can really be a serious vulnerability, most default windows setups hide the .exe of executable filenames, with this I could easily place a bogus "My computer" icon that executes my favorite rootkit.

    --

    Copyright infringement is "piracy" in the same way DRM is "consumer rape"
  20. Re:Accidentents. by TheLink · · Score: 2, Informative

    You don't have to click on a new desktop icon.

    All that needs to happen is:

    1) for the download to be called www.google.com (or similar)
    2) for the person to open up IE one day.
    3) type www.google.com (or similar) into the location bar of IE and press Enter.
    4) Screw up and click Open when the prompt appears (you won't be expecting the pop up, so you might press space or enter or something else that causes "click through" ).

    I'm sure there are lots of other naughty things people can do.

    --
  21. Re:I actually agree with Microsoft in this case. by 99BottlesOfBeerInMyF · · Score: 2, Informative

    Why bother with another web browser that is not really a viable alternative to IE 7.0 and the upcoming Firefox 3.0?

    Safari is a viable alternative, at least according to most all of the reviews of it, such as Arstechnica. Personally, I prefer Firefox on Windows, but I do miss some of the nice features that Safari has, but others have not caught up on. For example, I just resized the text box I'm typing this in to be large enough so I don't have to scroll. I regularly miss that when I'm on Windows or Linux.

  22. Re:Wow. Just wow. by Anonymous Coward · · Score: 1, Informative

    This issue has nothing to do with Webkit. The flaw lies in Apple's proprietary Safari code.