Apple Fixes Safari Vulnerability on Windows

Posted by Maxim Weinstein Fri, 20 Jun 2008 12:56:00 GMT

About a month ago, we questioned Apple for characterizing a Safari security vulnerability as a “feature” issue, not a security issue. This issue got further attention when Microsoft announced that the Safari vulnerability combined with a Windows vulnerability could lead to remote code execution.

I’m glad to report that Apple has patched the hole in the Windows version of Safari, though they continue to treat the unprompted downloading of files as a non-security issue, as indicated by this write-up from their advisory:

An issue exists in how the Windows desktop handles executables. Saving an untrusted file to the Windows desktop may trigger the issue, and lead to the execution of arbitrary code. Web browsers are a means by which files may be saved to the desktop. To help mitigate this issue, the Safari browser has been updated to prompt the user prior to saving a download file. Also, the default download location is changed to the user’s Downloads folder on Windows Vista, and to the user’s Documents folder on Windows XP. This issue does not exist on systems running Mac OS X.

In other words, Apple is saying that the only security issue is the Windows desktop vulnerability, so they’ve patched Safari to protect you from Microsoft’s flaws. While the patch is an essential download for users of Safari for Windows, it is disappointing that Apple continues to shift the blame and to indicate that the Mac version of Safari does not have a security issue.

I also hope that we will see a patch from Microsoft that addresses the Windows desktop vulnerability directly.

Hat tip to Ryan Naraine at the ZDNet Zero Day Blog for reporting on Apple’s update.