Microsoft, Apple Spar Over Safari Security Threat

A flaw in Apple's (Nasdaq: AAPL) Safari Web browser has caught the attention of Microsoft's (Nasdaq: MSFT) security team. The software maker has released an advisory for Windows XP and Windows Vista users running Safari, informing them that Microsoft has begun investigating a vulnerability discovered two weeks earlier by Nitesh Dhanjani, a security researcher.

One of three bugs Dhanjani found in connection with Safari, the flaw exposes PC users to a "carpet bomb" attack, allowing potentially malicious files to be downloaded to and run on a PC without the owners' consent.

Apple, according to a post on Dhanjani's blog, does not consider this issue to be "security related" despite evidence that the vulnerability also affects Mac OS X users.

"Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads," Apple said in a response quoted on Dhanjani's site.

Apple did not respond to a request for comment.

Windows on Safari

The issue here is twofold and involves the way Safari handles user downloads and the way Windows executes user downloads, Chenxi Wang, a Forrester Research analyst, told MacNewsWorld.

In what's known as a "blended attack," hackers take advantage of two relatively innocuous vulnerabilities. In this instance, the Safari side of the problem is a default setting in the browser that allows content to download to a user's desktop or download folder without the user's permission.

Meanwhile, Windows allows some downloaded files to run automatically, Chris Rodriguez, a Frost & Sullivan analyst, told MacNewsWorld.

That opens the door to a scenario in which a rogue Web site can "litter the user's Desktop (Windows) or Downloads directory (~/Downloads/in OSX)," Dhanjani explained.

"This can happen because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource. Safari downloads the resource without the user's consent and places it in a default location (unless changed)," he wrote.

"The problem is that you visit a Web site and the files are downloaded to your computer and run automatically," Rodriguez noted.

Who's Fixin' It?

The risk to PC users is moderate, according to Andrew Jaquith, an analyst at Yankee Group. Dhanjani's scenario, he said, requires the user to first, use Safari; second, visit a malicious Web site that causes malicious files to be downloaded automatically; and third, double-click -- i.e. execute -- on something that was downloaded by this method.

"Most other browsers -- including IE (Internet Explorer) -- will alert you if you are attempting to download content to your desktop or preferred download folder. Safari doesn't do that. It should offer users a choice to block the download," Jaquith explained.

"In general, Apple has had a habit of making its browser setting a little too loose. For example, Safari is configured so that the Open 'Safe' Files After Download setting is checked by default. This is pretty irresponsible, in my view, and in the view of just about every security person I know," he told MacNewsWorld.

However, Jaquith pointed out that this vulnerability is not as serious as the "perennial 'drive-by' ActiveX vulnerabilities that affect Internet Explorer.

"Those will cause code to download automatically and run. Still, Apple should not be automatically downloading anything without the user's consent," he said.

However, because malicious files can be downloaded to a user's machine and executed without consent, the bug, Wang said, should be considered serious.

Depending on the results of its investigation Microsoft may release a fix for the bug, but Jaquith, Rodriguez and Graham Cluley, senior technology consultant at Sophos, said Apple needs to correct the problem.

"It would be good if Apple could alter the operation of Safari to prevent this unattractive behavior from being possible. However, they do not appear to recognize it as a security vulnerability," Cluley told MacNewsWorld.

'Watch Your Desktop'

Apple, Jaquith said, should eliminate the option to open safe files after downloading and alert the user when Safari downloads content. The user should clearly express their consent, he pointed out.

"There are lots of ways Apple could make this work without making it too onerous," he added.

However, in response to a similar suggestion from Dhanjani, Apple told the security researcher, "the ability to have a preference to 'Ask me before downloading anything' is a good suggestion. We can file that as an enhancement request for the Safari team. ... This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated."

Wang, Jaquith, Rodriguez and Cluley recommend that Windows users choose a different Web browser such as Internet Explorer or Firefox. Users can also change the default location where downloaded files are stored on their computer.

"Watch your desktop. If you see files you don't recognize popping up while you browse with Safari, delete them rather than double-clicking," Jaquith advised.