Friday, May 30, 2008

Is Microsoft dropping Apple 0-day?

Just saw this link show up in my RSS reader:
Microsoft Security Advisory (953818) Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform

From the advisory:

FAQ

What causes this threat?
A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user’s machine without prompting, allowing them to be executed. Safari is available as a stand-alone install or through the Apple Software Update application.

And

Workarounds

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Change the download location of content in Safari to a location other than ‘Desktop’

Launch Safari. Under the Edit menu select Preferences.

At the option where it states Save Downloaded Files to:, select a different location on the local drive.

So... that sounds a lot like if I were to download a desktop.ini file or something like that, I'd get my Windows all 0wned. As in, if I cared to, I probably wouldn't have to work too hard to figure out how to exploit this from Microsoft's description and workaround.

Is this being exploited in the wild or something? Otherwise I kinda would have expected Microsoft to keep quiet until it was patched by Apple.

I guess Apple pushing Safari on Windows iTunes/Quicktime users isn't looking so hot about now?

Update:
Aha, pointer from Slashdot and The Register. The carpet bombing seems to be the genesis, but that's not the whole story, since he doesn't talk about executing code.

Update2:
There it is, it was found by Aviv Raff.

No comments: