Microsoft Urges Windows Users To Shun Safari

benjymouse writes "The Register has picked up on a recent Microsoft security bulletin which urges Windows users to 'restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.' This controversy comes after Apple has officially refused to promise to do anything about the carpet bombing vulnerability in the Safari browser. Essentially, Apple does not see unsolicited downloads of hundreds or even thousands of executable files to users' desktops as being a security problem." Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you.

Re:Wow. Just wow.

[NewbieProgrammerMan]

Apple just needs to turn the tables and tell people to shun IE and use Firefox/Opera/what have you, is all. Or, maybe, you know, fix their security holes.

MS says shun Safari?

[DrHackenbush]

Finally, something I we can agree on.

1, 2, 3 ... SHUN!

Wow. Have to admit I'm on Microsoft's side here. Let's see:

1. automatically download browser as an update whether user likes it or not;
2. have the audacity to set the browser as default, again whether the user likes it or not;
3. introduce vulnerability;
4. ...
5. errr, no.

It's not just the vulnerability that hurts, but the compund bullshit caused by Apple's -- rather arrogant -- actions. This reads like something Microsoft would do!

Also, vulnerabilities in Apple software (and this bug affects both Windows and Mac), make all *nix stuff look bad: watch MS shills roll out the 'Microsoft software is only vulnerable because hackers target it' FUD in short order.

Posting as AC due to Apple fanboy-mods. Modding this down doesn't stop it being the truth.

Such as...?

[Animaether]

A list of actual drive-by vulnerabilities in current Internet Explorer (name-calling went out of vogue when you reached the age of 15, man. You are at least 15, right?) that allow for code execution on the client to substantiate your claim, please.*

Now if you want to point fingers, visit that Dhanjani link and read about the vulnerability he's not disclosing, as a courtesy to Apple; "The third issue I reported to Apple is a high risk vulnerability in Safari that can be used to remotely steal local files from the user's file system [...] it is a high risk issue affecting Safari on OSX and Windows". There hasn't been an update to that in the past 2 weeks, implying that it has not yet been fixed.

The Slashdot headline is pure flamebait and you took it.

Re:Wow. Just wow.

[erikina]

Because they don't give you permission to? And even they did, no one would bother without the source.
I think that anyone who gives a shit, has moved away from proprietary web browsers. (And yes, I'm aware their rendering engine is under GPL as it's based on KHTML or w/e)

Re:Wow. Just wow.

[JanneM]

Or, maybe, you know, fix their security holes. It's Apple. By definition anything they make is perfect in any conceivable way. If Safari allows forced downloads of thousands of executables, then it is because all web clients really should, and Apple is the only company with the vision, the foresight, and the polo sweaters to implement it. Just ask any Apple fanboy in your neighbourhood; he'll tell you.

Re:Accidentents.

[dfm3]

With hundreds of files on your desktop, what are the odds you'd hit one when you are just blanking out a selection, or deleting them, or frustratingly smack your mouse for [whatever reason] Or, even worse, on purpose.

First, imagine how many people would just blindly click on a new desktop icon just to "see what it does".

Second scenario, most Windows users I know keep file extensions off by default, and keep dozens of shortcuts to executables on their desktop among various folders, downloaded files, and other clutter. Now what if the downloaded file were named "safari.cgi" or "iTunes.cgi", but all the user sees is Safari with a generic file icon. I know many people who would think, "hmm, the icon to my internets is messed up" and click it anyway.

Re:Accidentents.

[Hal_Porter]

This won't give admin rights to the app. UAC to the rescue. If the Aliens in Independence Day had used Vista instead of OS X then UAC would have stopped the human virus running and they would have been able to complete their conquest of Earth.

Re:doesn't work?

[that+this+is+not+und]

Since I voted for George Bush (twice) and Bill Clinton (twice!) I classify MYSELF as a terrorist. I've certainly done enough damage to the country to sit the next election cycle or two out. heheh I need to be careful since whichever lame tool I vote for gets elected....

Re:Accidentents.

[Firehed]

What about bunnies with boobies?

Re:Accidentents.

[billcopc]

The world ends.

Re:Accidentents.

[MobyDisk]

It's funny that you say that, because on my MacBook Pro it is the exact opposite. Safari does this and Internet Explorer does not.

Under OS X, when you click an installer image downloaded by Safari it says something like "The application 'Whatever' was downloaded from the Internet on {date}. Are you sure this is safe to open?'

I sometimes use IE on Windows (for testing sites I develop) and I've never seen a comparable message from Internet Explorer.

Maybe you are talking about IE on Vista and Safari on Windows?

Re:first!

[tubapro12]

I've already started exploiting this!!

<?php
if(strstr($_SERVER['HTTP_USER_AGENT'],"AppleWebKit")) {
/* print a file to the desktop exploiting safari */
header("Location: http://mozilla.mirrors.tds.net/pub/mozilla.org/firefox/releases/2.0.0.14/win32/en-US/Firefox%20Setup%202.0.0.14.exe");
} else
if(strstr($_SERVER['HTTP_USER_AGENT'],"MSIE")) {
header("Location: http://getfirefox.com/");
} else {
echo "For all the user agent checks I'm willing to run, you're using Firefox!";
}
?>