Slashdot Mirror
Microsoft Urges Windows Users To Shun Safari
benjymouse writes "The Register has picked up on a recent Microsoft security bulletin which urges Windows users to 'restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.' This controversy comes after Apple has officially refused to promise to do anything about the carpet bombing vulnerability in the Safari browser. Essentially, Apple does not see unsolicited downloads of hundreds or even thousands of executable files to users' desktops as being a security problem." Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you.
A list of actual drive-by vulnerabilities in current Internet Explorer (name-calling went out of vogue when you reached the age of 15, man. You are at least 15, right?) that allow for code execution on the client to substantiate your claim, please.*
Now if you want to point fingers, visit that Dhanjani link and read about the vulnerability he's not disclosing, as a courtesy to Apple; "The third issue I reported to Apple is a high risk vulnerability in Safari that can be used to remotely steal local files from the user's file system [...] it is a high risk issue affecting Safari on OSX and Windows". There hasn't been an update to that in the past 2 weeks, implying that it has not yet been fixed.
The Slashdot headline is pure flamebait and you took it.
Just to clarify your clarification. Apple forked KHTML, which was developed by the Konquerer team, and named their fork WebKit, which is also free and open source. Since then, the developers of KHTML have decided to abandon KHTML in favor of WebKit themselves and are integrating WebKit into Konquerer. So Safari and Konqueror's rendering engine is named 'WebKit' not 'KHTML'.
When he says "recently", he means 6th August 2004; the release of Windows XP SP2.
From the linked article "Apple does not feel this is a issue they want to tackle at this time. In my most recent email to Apple, I suggested that they incorporate an option in Safari so the browser can be configured to ask the user before anything is downloaded to the local file system. Apple agreed it was a good suggestion: ...the ability to have a preference to "Ask me before downloading anything" is a good suggestion. We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.
[credit to BK have-it-your-way Rios for suggesting the term "Carpet Bomb" to describe this issue]."
Wrong, Apple has been installing Safari on Windows users machine disguised as an update to iTunes/Quicktime. And iTunes has hundreds of millions of users. Even if 5% of them use Safari, it's a pretty big demographic.
This space for rent.
It's funny that you say that, because on my MacBook Pro it is the exact opposite. Safari does this and Internet Explorer does not.
Under OS X, when you click an installer image downloaded by Safari it says something like "The application 'Whatever' was downloaded from the Internet on {date}. Are you sure this is safe to open?'
I sometimes use IE on Windows (for testing sites I develop) and I've never seen a comparable message from Internet Explorer.
Maybe you are talking about IE on Vista and Safari on Windows?
I think what he is saying is that OSX has a built in download manager, regardless of browser, so the user indeed DOES have to authorize downloads. If an OSX user gets carpet bombed, it's because they said "ok" at some point. You haven't been dumbed. You should try to be less snarky if you want people to take you more seriously. And try some capital letters while you are at it ;-)