Apple had previously said that the vunerability, found by security consultant Nitesh Dhanjani and dubbed the”carpet bombing” bug, would not be treated as a security issue, but rather filed as an enhancement request.
Certifiedbug: Apple’s Safari Carpet Bomb
A second researcher, Aviv Raff, found a way to execute files on the desktop without notifying the user.
Safari pwns Internet Explorer
Microsoft released a Security Advisory (953818) May 30th:
Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform
Apple:
To help mitigate this issue, the Safari browser has been updated to prompt the user prior to saving a download file. Also, the default download location is changed to the user’s Downloads folder on Windows Vista, and to the user’s Documents folder on Windows XP. This issue does not exist on systems running Mac OS X.
{ 0 comments… add one now }