(Credit:
Nitesh Dhanjani)
Microsoft notes that users who change the default Safari download location are not affected. To change the download location in Safari, under Edit select Preferences. Where it says “Save Downloaded Files to” change the location.
Microsoft may follow the advisory with a security update if needed.
The Safari “carpet bombing” attack was first described by Nitesh Dhanjani last month, but dismissed by Apple as a serious threat. Under Dhanjani’s scenario, a user would surf using Apple Safari for Windows to a maliciously crafted Web site such as http://malicious.example.com/. Dhanjani says Safari does not know how to render content-type of blah/blah, so it starts downloading carpet_bomb.cgi, executing the downloaded files with the same rights as the logged-on user. The end result is the victim’s desktop is populated with a variety of malicious files.
Microsoft has issued an advisory warning Windows users who have installed the Apple
Safari for
Windows browser that their systems may be vulnerable to attack.
Microsoft says it is the combination of the default download file location in Safari and how the Windows desktop handles the files that creates the blended threat on all supported versions of Windows XP and
Windows Vista when Apple’s Safari for Windows has been installed