Apple Safari flaw more serious than originally thought

**Glaswegian** · 06-02-2008, 01:32 PM

Microsoft has warned that a previously disclosed flaw in Apple's Safari browser could have dire consequences for Windows users.

The Safari bug, originally disclosed on 15 May by security researcher Nitesh Dhanjani, allows attackers to litter a victim's desktop with executable files, an attack known as "carpet bombing."

It turns out that if this flaw is exploited in combination with a second unpatched bug in Internet Explorer, attackers can run unauthorised software on a victim's computer, according to Aviv Raff, a security researcher. Raff said he originally reported the IE flaw to Microsoft more than a year ago, and then told them about how it could be combined with the carpet bombing bug just over a week ago.

For the attack to work, a victim must first visit a maliciously crafted Web page with the Safari browser, which in turn will trigger the carpet bombing attack and exploit the IE flaw. Both the Safari and IE bugs "are moderate vulnerabilities that, combined, produce a critical flaw, which allows remote code execution," Raff said.

http://www.techworld.com/security/ne...&NewsID=101644

pepsitrev · 06-05-2008, 10:00 AM

thanks for the heads up mate. will remove safari at once.

06-02-2008, 01:32 PM	#1 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 21,344 OS: Win XP Pro SP3 My System Blog Entries: 10	Apple Safari flaw more serious than originally thought Microsoft has warned that a previously disclosed flaw in Apple's Safari browser could have dire consequences for Windows users. The Safari bug, originally disclosed on 15 May by security researcher Nitesh Dhanjani, allows attackers to litter a victim's desktop with executable files, an attack known as "carpet bombing." It turns out that if this flaw is exploited in combination with a second unpatched bug in Internet Explorer, attackers can run unauthorised software on a victim's computer, according to Aviv Raff, a security researcher. Raff said he originally reported the IE flaw to Microsoft more than a year ago, and then told them about how it could be combined with the carpet bombing bug just over a week ago. For the attack to work, a victim must first visit a maliciously crafted Web page with the Safari browser, which in turn will trigger the carpet bombing attack and exploit the IE flaw. Both the Safari and IE bugs "are moderate vulnerabilities that, combined, produce a critical flaw, which allows remote code execution," Raff said. http://www.techworld.com/security/ne...&NewsID=101644 __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::5 Steps For Infected PCs

06-05-2008, 10:00 AM	#2 (permalink)
pepsitrev Registered User Join Date: Apr 2008 Posts: 13 OS: xpsp2	Re: Apple Safari flaw more serious than originally thought thanks for the heads up mate. will remove safari at once. __________________ PEPSI for the 60s generation