homepage Welcome to WebmasterWorld Guest from 54.226.235.222
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

    
Microsoft Urges Windows Users To Avoid Safari
bill




msg:3664016
 4:19 am on Jun 1, 2008 (gmt 0)

Microsoft urges Windows users to shun 'carpet bombing' Safari [theregister.co.uk]

Microsoft's security team is advising users to stop using Apple's Safari browser pending investigation into a quirk that allows miscreants to litter their desktop with hundreds of executable files.

Windows users who visit a booby-trapped site with Safari could be forced to download and execute malicious files with no prompting, Microsoft says. The "blended threat" is a result of the default download location in Safari and the way the Windows desktop handles executable files.

This Microsoft advisory [microsoft.com] suggests users "restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple."


 

tedster




msg:3664044
 5:34 am on Jun 1, 2008 (gmt 0)

Oh my, looks like someone at Apple should take a public relations course.

Apple agreed that it might be good if Safari actually checked with the user before downloading potentially vicious files, but signaled that kind of addition wasn't much of a priority.

"Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads," someone from Apple's security team told Dhanjani. "We want to set your expectations that this could take quite a while, if it ever gets incorporated."

[theregister.co.uk...]


Wlauzon




msg:3664098
 7:48 am on Jun 1, 2008 (gmt 0)

..we are not treating this as a security issue..

So it can just download all of those nifty adware and malware files to my computer, and I don't even know about it?

Sounds cool...

adfree




msg:3664153
 11:33 am on Jun 1, 2008 (gmt 0)

...we are not treating this as a security issue...

Well, But I do! Just de-installed, suckers!

vincevincevince




msg:3664154
 11:35 am on Jun 1, 2008 (gmt 0)

Interesting that Microsoft never urged windows users to avoid Internet Explorer during the long history of exploits affecting that browser, many of which have been much more dangerous than this present one.

Bernard Marx




msg:3664197
 1:15 pm on Jun 1, 2008 (gmt 0)

Well, they did recommend using it with scripting disabled.
(Brill, eh ?)

jdMorgan




msg:3664204
 1:53 pm on Jun 1, 2008 (gmt 0)

Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.

Done.

Jim

amnesia440




msg:3664270
 4:01 pm on Jun 1, 2008 (gmt 0)

interesting. Maybe MS should look at how it allows malware to destroy their operating system.

This shouldn't be an issue on Vista right? I mean, vista is the 'worlds most secure OS', right?

swa66




msg:3664284
 4:49 pm on Jun 1, 2008 (gmt 0)

Perhaps MSFT ought to be more interested in their own security failures.

The prompting of users for all possible things will only result in the user clicking next on those annoying messages anyway, so it's a moot poitn to even add more of those prompts.
Hmm. vista is full of those anoying prompts it appears, so perhaps that's why I'm not using it.

Wlauzon




msg:3664360
 7:26 pm on Jun 1, 2008 (gmt 0)

"Clicking on all possible things", and having prompts for .exe files is not quite the same thing.

bill




msg:3664694
 9:58 am on Jun 2, 2008 (gmt 0)

Let's stay on topic.
If you'd like to discuss Vista or other MS OS topics feel free to do it in the appropriate forum [webmasterworld.com].

I'm moving my Safari installations into a Virtual PC until this blows over.

whoisgregg




msg:3664801
 1:04 pm on Jun 2, 2008 (gmt 0)

If changing the default download location is enough to completely avoid the problem, why is Microsoft's suggested course of action to "Restrict use of Safari as a web browser?"

Oh right, because when a competing browser starts to gain in market share [marketshare.hitslink.com], Microsoft's first course of action is a FUD campaign.

Hugene




msg:3664891
 3:02 pm on Jun 2, 2008 (gmt 0)

Why are you using Safari? Is it a good browser? Seems to me like using IE on a Mac, aka there is no point. Just checked apple's page, they claim Safari is faster to load pages than Firefox. Is that true?

incrediBILL




msg:3664977
 4:29 pm on Jun 2, 2008 (gmt 0)

"Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads," someone from Apple's security team

Whoever stated this should be called someone from "Apple's LACK of Security Team".

People don't expect malicious files to just appear on their desktop and allowing your software to do such a thing is so wrong, Apple needs to be smacked.

Allowing anything to download files automatically is a huge risk, especially if it dumps them on the desktop. The odds of accidentally launching the file when trying to delete it are pretty substantial for the less than computer savvy, not to mention the curiosity factor of wanting to see what it is.

Most viruses spread because people are stupid and do stupid things so when you give stupid software to stupid people expect even more stupidity to ensue.

Simply amazing.

I'm moving my Safari installations into a Virtual PC until this blows over.

Not sure why you would use Safari on a PC except to test your web sites to see how they would work on a Mac, and if you don't trust your own sites...

[edited by: incrediBILL at 4:30 pm (utc) on June 2, 2008]

tedster




msg:3665193
 8:41 pm on Jun 2, 2008 (gmt 0)

Why are you using Safari?

To see how the web pages I create are displayed - only that,

penders




msg:3665289
 10:23 pm on Jun 2, 2008 (gmt 0)

Hhhhmmm, I noticed the other day that when trying to force a download in Safari (Win) it would download immediately, to the location specified in prefs, without first prompting to Open/Save/Cancel as all other browsers do!? Mmmmmm?

Text file link that downloads, not displays? [webmasterworld.com]

Only use Safari to test, as mentioned. (Rather like the Network Timeline on the developer toolbar.)

bill




msg:3665471
 3:54 am on Jun 3, 2008 (gmt 0)

Why are you using Safari?

Just for testing purposes...just like my virtual PCs. That's where I think I'm going to relegate the rest of Apple's software as well. QuickTime is another gaping security hole.

penders




msg:3665529
 7:12 am on Jun 3, 2008 (gmt 0)

Just checked apple's page, they claim Safari is faster to load pages than Firefox. Is that true?

I think that's questionable. To be honest, in the pages I've tried, I've not noticed much of a difference. The good thing about Safari on Win (for most here I guess) is that it looks the same as on the Mac, scrollbars, dialog boxes, ...everything. It's good for testing. Although IMO the font smoothing is excessive - the text is 'fuzzy'! (I'm sure the text is cleaner on the Mac?!)

4css




msg:3679448
 12:07 pm on Jun 20, 2008 (gmt 0)

The next question I have is, if you have a firewall, and safari tries to do something it isn't supposed to, wouldn't the firewall protect you?

moderator note:
a discussion about using a Virtual PC
was split off into its own thread:
[webmasterworld.com...]

[edited by: tedster at 12:34 pm (utc) on June 22, 2008]

tedster




msg:3680729
 12:36 pm on Jun 22, 2008 (gmt 0)

I think you'll find that in order to use Safari to browse the web, you have to make a firewall rule that allows Safari to take a lot of actions - so you've already compromised a lot of the safety the firewall gives you.

g1smd




msg:3680859
 4:29 pm on Jun 22, 2008 (gmt 0)

There was an update to safari yesterday. I'm on 3.1.2 now.

4css




msg:3680874
 5:07 pm on Jun 22, 2008 (gmt 0)

@Tedster,

So if you are installing it just for developing purposes, and only view on your own machine, then it should be ok to install it?

Thanks regarding the answer for the firewall question.

tedster




msg:3680894
 5:49 pm on Jun 22, 2008 (gmt 0)

I've installed it only to test pages that I created or my clients created. I also changed the default download folder, as recommended above. I have no current interest in doing regular browsing with Safari, or with IE for that matter. So my risk is extremely minute, I think.

4css




msg:3680916
 6:30 pm on Jun 22, 2008 (gmt 0)

I only use firefox for browsing. IE6 is for viewing pages in. I need to get IE7 going somehow. Safari would not be for browsing, and I would follow the advice above as stated for the downloads folder.

Thanks for your reply Tedster, it is appreciated. :)

cjwong




msg:3691401
 1:32 am on Jul 6, 2008 (gmt 0)

What's even more annoying is that this weekend, Apple software update on my pc (I have quicktime installed), tried to install Safari on my computer, suggesting that it needed an 'update'.

tedster




msg:3691445
 3:59 am on Jul 6, 2008 (gmt 0)

Yes, those Safari "updates" are very poorly thought out. I've had the same experience, where I update Safari and immediately get told I need to update Safari - and the loop never ends until I just ignore it.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved