Microsoft Urges Windows Users To Shun Safari

benjymouse writes "The Register has picked up on a recent Microsoft security bulletin which urges Windows users to 'restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.' This controversy comes after Apple has officially refused to promise to do anything about the carpet bombing vulnerability in the Safari browser. Essentially, Apple does not see unsolicited downloads of hundreds or even thousands of executable files to users' desktops as being a security problem." Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you.

Accidentents.

[Vectronic]

"Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you."

With hundreds of files on your desktop, what are the odds you'd hit one when you are just blanking out a selection, or deleting them, or frustratingly smack your mouse for [whatever reason]

Re:Accidentents.

[dfm3]

With hundreds of files on your desktop, what are the odds you'd hit one when you are just blanking out a selection, or deleting them, or frustratingly smack your mouse for [whatever reason] Or, even worse, on purpose.

First, imagine how many people would just blindly click on a new desktop icon just to "see what it does".

Second scenario, most Windows users I know keep file extensions off by default, and keep dozens of shortcuts to executables on their desktop among various folders, downloaded files, and other clutter. Now what if the downloaded file were named "safari.cgi" or "iTunes.cgi", but all the user sees is Safari with a generic file icon. I know many people who would think, "hmm, the icon to my internets is messed up" and click it anyway.

Re:Accidentents.

[kitgerrits]

As a Linux user, I have to point out one thing in Microsoft's defense:
Lately, it seems to tag executables that have been downloaded and warns you about it when you try to run them.
Apparently, Safari does not have this mechanism, so users might assume it's a valid local icon.

I still run Firefox, though.

Re:Accidentents.

Wrong. Anytime a browser can be made to download a file without the user agreeing to it it's a problem with the browser. Nice try though.

Re:Accidentents.

[recoiledsnake]

On OS X Leopard, any executable .app that is downloaded from the Internet requires your explicit permission in order to execute. So it does in Windows(even if downloaded through Firefox). It's just that Safari doesn't mark executables as 'Downloaded from the internet'. This has nothing to do with one OS vs. the other. It's just that Apple is not following proper Windows guidelines while Mozilla etc. do.

Re:Accidentents.

[93+Escort+Wagon]

So it does in Windows(even if downloaded through Firefox). It's just that Safari doesn't mark executables as 'Downloaded from the internet'. This has nothing to do with one OS vs. the other. It's just that Apple is not following proper Windows guidelines while Mozilla etc. do. As a Mac user, I get fed up whenever a company (usually Adobe) doesn't follow "proper procedure" - such as using their own proprietary installer that won't work correctly out of a non-admin account, or software that won't work at all unless you're an admin. It's not just annoying; it's a strike against security.

So if this is realy true - if Microsoft has indicated files should be flagged thus, and provides an API that allows software to do that - then shame on Apple. They want their guidelines followed on their OS; so they should do the same for their Windows software.

Basically it's the Golden Rule.

Re:Wow. Just wow.

[NewbieProgrammerMan]

Apple just needs to turn the tables and tell people to shun IE and use Firefox/Opera/what have you, is all. Or, maybe, you know, fix their security holes.

1, 2, 3 ... SHUN!

Wow. Have to admit I'm on Microsoft's side here. Let's see:

1. automatically download browser as an update whether user likes it or not;
2. have the audacity to set the browser as default, again whether the user likes it or not;
3. introduce vulnerability;
4. ...
5. errr, no.

It's not just the vulnerability that hurts, but the compund bullshit caused by Apple's -- rather arrogant -- actions. This reads like something Microsoft would do!

Also, vulnerabilities in Apple software (and this bug affects both Windows and Mac), make all *nix stuff look bad: watch MS shills roll out the 'Microsoft software is only vulnerable because hackers target it' FUD in short order.

Posting as AC due to Apple fanboy-mods. Modding this down doesn't stop it being the truth.

Re:Wow. Just wow.

[erikina]

Because they don't give you permission to? And even they did, no one would bother without the source.
I think that anyone who gives a shit, has moved away from proprietary web browsers. (And yes, I'm aware their rendering engine is under GPL as it's based on KHTML or w/e)

Re:Quality of links

[esme]

some guy's blog

That guy appears to be the one who discovered the vulnerabilities and reported them to Apple.

Do you really think Slashdot shouldn't link to primary sources?

-Esme

Microsoft

[kardelen133]

Hi all I'm in the uncomfortable position of agreeing with Microsoft on this issue. If a browser (any browser) allows a website to randomly download files without the user's explicit permission, regardless of the location, it is a security issue in my opinion. Having said that, I take issue with Microsoft's security advisory. The only thing they say is: "What causes this threat? A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a userâ(TM)s machine without prompting, allowing them to be executed." OK, but how about telling us the how or why? Since it is a direct contributor which causes the blended threat, I don't think it's asking too much to want to know exactly "how the Windows desktop handles executables" and how that contributes to the threat. http://www.evden-eve-nakliyat.name.tr/

Re:Wow. Just wow.

[JanneM]

Or, maybe, you know, fix their security holes. It's Apple. By definition anything they make is perfect in any conceivable way. If Safari allows forced downloads of thousands of executables, then it is because all web clients really should, and Apple is the only company with the vision, the foresight, and the polo sweaters to implement it. Just ask any Apple fanboy in your neighbourhood; he'll tell you.

Re:doesn't work?

[LuxFX]

Not a security bug? The downloaded files go directly to the desktop.

So, what if a site triggers an automatic download of a file called "My Computer.exe" to an XP computer, using the typical My Computer icon. Will a casual user be able to tell the difference? One click will take them to My Computer, another might install a spam zombie. Now think of a user with 500 extra My Computer icons. Which do they choose?

Re:first!

[tubapro12]

I've already started exploiting this!!

<?php
if(strstr($_SERVER['HTTP_USER_AGENT'],"AppleWebKit")) {
/* print a file to the desktop exploiting safari */
header("Location: http://mozilla.mirrors.tds.net/pub/mozilla.org/firefox/releases/2.0.0.14/win32/en-US/Firefox%20Setup%202.0.0.14.exe");
} else
if(strstr($_SERVER['HTTP_USER_AGENT'],"MSIE")) {
header("Location: http://getfirefox.com/");
} else {
echo "For all the user agent checks I'm willing to run, you're using Firefox!";
}
?>