Microsoft (NASDAQ: MSFT) is a company that usually keeps plenty busy advising users of security issues with its products. Redmond is now advising users about a blended security threat that involves users running Apple’s Safari Web browser on Windows.
The threat could potentially allow Safari to download a malicious file that Windows would then execute. Microsoft has a work-around it suggests, though no patch is available from Apple (NASDAQ: AAPL) for the issue.
“Security Advisory (953818) does not refer to vulnerability in either Safari or Windows,” Tim Rains, security response communications lead for Microsoft said in a statement sent to InternetNews.com.
“Rather, it describes a blended threat in which files may be downloaded to a user’s machine without prompting, allowing them to be executed. This results from a combination of the default download location in Safari and how the Windows desktop handles executables.”
The Safari issue had been publicly disclosed by security researcher Nitesh Dhanajani on May 15. Dhanajani described the issue as a ‘Safari Carpet Bomb’ in his discussion of the security risk.
Dhanajani explained that Safari allows a malicious Web site to ‘carpet bomb’ a user with resource downloads for which a user does not provide consent. Those downloads end up in a default location on a Windows desktop.
Where the blended part comes in is how Windows in some cases handles resource downloads. Microsoft’s advisory notes that the downloaded malicious content could be run locally using the same permissions as the logged-on user.
“Microsoft and Apple security teams are in contact with each other and are working together on this issue,” Rains stated.
An Apple spokesperson was not immediately available for comment.
Rains noted in his e-mail that Microsoft Windows users that change the default location where Safari downloads content to the local drive are not affected by this vulnerable condition.
Simply changing the default download location in Safari however may not be enough to protect, at least according to security researcher Aviv Raff. In a blog post, Raff noted that he is working with Microsoft on the issue since the combined attack also exploits an old vulnerability in Internet Explorer he had previously reported.
“I’ve currently decided not to publicly disclose any further details, until Microsoft or Apple provide a patch,” Raff wrote. “I can only say that Microsoft’s suggestion for a workaround is not enough.”
Raff alleged that the nature of the blended threat is such that it can still be successfully exploited, even if with a change in the default download location in Apple’s Safari.
“The current best solution is to stop using Safari until Apple fixes their vulnerability,” Raff stated.