Apple Fixes Security Flaw In Windows Version Of Safari

Apple has released a fix for a serious security flaw in the Windows version of the Safari Web browser, which allowed the download of software from a malicious Web site without giving the victim any advanced warning.

The patch, part of a security update issued by Apple on Thursday, changed Safari so it would first seek permission from a user before downloading an application from a Web site to the desktop.

The vulnerability was serious enough for Microsoft to issue a warning in May. The flaw affected Safari users with Windows XP or Windows Vista computers.

To exploit the bug, an attacker would first have to trick a user into visiting a Web site that could initiate the download. Because the action could be done without notification, the machine could become infected without a user's knowledge.

In a description of the patch, Apple seemed to place the blame on Microsoft, saying the vulnerability stemmed from "how the Windows desktop handles executables."

"Saving an untrusted file to the Windows desktop may trigger the issue, and lead to the execution of arbitrary code," the company said.

Along with issuing an alert, the fix also changes the default download location for Safari from the desktop to the Windows Vista download folder and the document folder in Windows XP. In Microsoft's May security advisory, the company said customers who had changed Safari's default download location were not at risk.

In March, Apple received considerable criticism for distributing Safari to Windows users by default, as part of an iTunes update. John Lilly, chief executive of Firefox maker Mozilla, said the action bordered on "malware distribution practices."

Apple later changed the tactic. Instead of labeling Safari an update with the option to install preselected, the company clearly listed the software as new, separating it from updates for those applications already on the users' computers, such as iTunes and QuickTime. In addition, the automatic-update tool started giving users the option of turning off the service.