Microsoft Security Advisory (953818)
Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform
Published: | Updated:
Version: 2.0
Microsoft has investigated public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed. Safari is not installed with Windows XP or Windows Vista by default; it must be installed independently or through the Apple Software Update application. Customers running Safari on Windows should review this advisory.
We have issued Microsoft Security Bulletin MS09-014, Cumulative Security Update for Internet Explorer (963027), and MS09-015, Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426), to address this issue. For more information about this issue, including download links for security updates, please review MS09-014 and MS09-015.
Apple Support has released a security advisory that addresses the vulnerability in Apple’s Safari 3.1.2 for Windows. Please see Apple security advisory About the security content of Safari 3.1.2 for Windows for more information.
Mitigating Factors:
- Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.
General Information
Overview
Frequently Asked Questions
Suggested Actions
Other Information
Acknowledgements:
- Aviv Raff for working with us and reporting the blended threat of Safari and Microsoft Internet Explorer
Resources:
- You can provide feedback by completing the form by visiting Microsoft Help and Support: Contact Us.
- Customers in the United States and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see Microsoft Help and Support.
- International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.
- Microsoft TechNet Security provides additional information about security in Microsoft products.
Disclaimer:
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- V1.0 (May 30, 2008): Advisory published.
- V1.1 (June 6, 2008): Modified the steps in the workaround and added acknowledgment.
- V1.2 (June 20, 2008): Advisory updated to provide link to related Apple security advisory.
- V1.3 (July 2, 2008): Updated the Suggested Actions.
- V2.0 (April 14, 2009): Added references and links to MS09-014 and MS09-015, which address the issue in this advisory.