If at first you don't succeed; call it version 1.0
Saturday, 31 May 2008
[Updated - see below]
Yes, you've read it right. Apple Safari can be used to pwn users with Internet Explorer installed. Well, basically this means that attackers can pwn Windows users who browse the web using Safari for Windows.

I've reported this issue to Microsoft over a week ago, and they have just issued a security advisory.
I've decided to work with Microsoft on this issue, because this combined attack also exploits an old vulnerability in Internet Explorer that I've already reported to them a long long time ago.

The root of this combined attack is Safari's "Carpet Bomb" vulnerability that was recently found by Nitesh Dhanjani. I didn't bother contacting Apple, as they've told Nitesh that they consider this as an "enhancement request" and will not bother to fix this issue any time soon.


I've currently decided not to publicly disclose any further details, until Microsoft or Apple provide a patch. I can only say that Microsoft's suggestion for a workaround is not enough. This combined Safari/IE vulnerability might still be successfully exploited, even if the user will change Safari's download location. Also, the Safari "Carpet Bomb" vulnerability can be used in combination with vulnerabilities in other products, so even if MS fixes their vulnerability,  Safari users will still be vulnerable.
The current best solution is to stop using Safari until Apple fixes their vulnerability.
I would like to take this opportunity and remind you that I've added a new RSS feed for the upcoming advisories. This feed will include new vulnerabilities which I've found but have not yet published their technical details on my blog.

Security vendors are welcomed to contact me in order to get more information about those vulnerabilities.

[UPDATE 07-JUNE-2008] Microsoft took my advice and updated the suggested workaround in the advisory. This updated workaround reduces the probability of being exploited to almost zero.
So, if you decide to keep using Safari for Windows, you should follow the steps described in the new workaround.

Saturday, 31 May 2008 12:45:38 UTC | Comments [2] | Security#
Saturday, 21 June 2008 23:44:25 UTC
MS has updated their advisory with a reference to
(safari 3.1.2 released).
Does this mean things are now fixed?
Friday, 25 September 2009 19:47:39 UTC
Umm.... Safari on Windows is just an iFrame running IE. So saying that it's better than IE is retarded since it IS IE.
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
Admin Login
Sign In
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.