Skip Navigation
» About Safe Computing

Saturday October 11th, 2008 » Fall Quarter, Week 2

Safe Computing > Security Alerts > Safari Browser on Windows

Vulnerability using Apple's Safari Web Browser on Windows

Safair LogoA vulnerability has recently been discovered that affects users using Apple's Safari browser on Windows systems. The vulnerability is two-fold, one due to the way Safari works, and one due to the way Internet Explorer works.

Safari will by default save downloaded files to the desktop without asking the user (like IE and Firefox do), and IE, when started from a desktop shortcut, will include the desktop in it's dll search path. So a malicious web page could cause Safari to download a dll to the desktop, and when the user starts IE, it could load the dll when it starts, giving the attackers control of IE (and probably the system as well).

The workaround at this time is to change the download location in Safari to something other than the desktop.

For more information, see

http://isc.sans.org/diary.html?storyid=4562
http://www.microsoft.com/technet/security/advisory/953818.mspx