Apple Fixes Security Flaw In Windows Version Of Safari
The patch changes Safari so it will first seek permission from a user before downloading an application from a Web site to the desktop.
Apple has released a fix for a serious security flaw in the Windows version of the Safari Web browser, which allowed the download of software from a malicious Web site without giving the victim any advanced warning.
The patch, part of a security update issued by Apple on Thursday, changed Safari so it would first seek permission from a user before downloading an application from a Web site to the desktop.
The vulnerability was serious enough for Microsoft to issue a warning in May. The flaw affected Safari users with Windows XP or Windows Vista computers.
To exploit the bug, an attacker would first have to trick a user into visiting a Web site that could initiate the download. Because the action could be done without notification, the machine could become infected without a user's knowledge.
In a description of the patch, Apple seemed to place the blame on Microsoft, saying the vulnerability stemmed from "how the Windows desktop handles executables."
"Saving an untrusted file to the Windows desktop may trigger the issue, and lead to the execution of arbitrary code," the company said.
Along with issuing an alert, the fix also changes the default download location for Safari from the desktop to the Windows Vista download folder and the document folder in Windows XP. In Microsoft's May security advisory, the company said customers who had changed Safari's default download location were not at risk.
In March, Apple received considerable criticism for distributing Safari to Windows users by default, as part of an iTunes update. John Lilly, chief executive of Firefox maker Mozilla, said the action bordered on "malware distribution practices."
Apple later changed the tactic. Instead of labeling Safari an update with the option to install preselected, the company clearly listed the software as new, separating it from updates for those applications already on the users' computers, such as iTunes and QuickTime. In addition, the automatic-update tool started giving users the option of turning off the service.
Read more about:
2008About the Author(s)
You May Also Like
Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024Why Effective Asset Management is Critical to Enterprise Cybersecurity
May 21, 2024Finding Your Way on the Path to Zero Trust
May 22, 2024Extending Access Management: Securing Access for all Identities, Devices, and Applications
June 4, 2024Assessing Software Supply Chain Risk
June 6, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024