Security Advisory

Microsoft Security Advisory 953818

Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform

Published: May 30, 2008 | Updated: April 14, 2009

Version: 2.0

Microsoft has investigated public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed. Safari is not installed with Windows XP or Windows Vista by default; it must be installed independently or through the Apple Software Update application. Customers running Safari on Windows should review this advisory.

We have issued Microsoft Security Bulletin MS09-014, Cumulative Security Update for Internet Explorer (963027), and MS09-015, Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426), to address this issue. For more information about this issue, including download links for security updates, please review MS09-014 and MS09-015.

Apple Support has released a security advisory that addresses the vulnerability in Apple’s Safari 3.1.2 for Windows. Please see Apple security advisory About the security content of Safari 3.1.2 for Windows for more information.

Mitigating Factors:

  • Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.

General Information

Overview

Purpose of Advisory: To provide customers with the initial notification and provide additional information regarding the impact to the affected Windows platforms.

Advisory Status: Advisory published.

Recommendation: Review the suggested actions and configure as appropriate.

References Identification
Microsoft Knowledge Base Article 953818
Microsoft Security Bulletin MS09-014
Microsoft Security Bulletin MS09-015
CVE Reference CVE-2008-2540

This advisory discusses the following software.

Related Software
Windows XP Service Pack 2
Windows XP Service Pack 3
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition Service Pack 2
Windows Vista
Windows Vista Service Pack 1
Windows Vista x64 Edition
Windows Vista x64 Edition Service Pack 1
Internet Explorer 6 for Windows XP Service Pack 2, Windows XP Service Pack 3, Windows XP Professional x64 Edition, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 7 for Windows XP Service Pack 2, Windows XP Service Pack 3, Windows XP Professional x64 Edition, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 7 for Windows Vista, Windows Vista Service Pack 1, Windows Vista x64 Edition, and Windows Vista x64 Edition Service Pack 1

Frequently Asked Questions

What is the scope of the advisory?
This advisory clarifies public reports of a blended threat which could allow remote code execution, affecting all supported editions of Windows XP and Windows Vista. For a complete list of affected software, review the software listed in the “Overview” section.

Is this a security vulnerability that requires Microsoft to issue a security update?
We have issued Microsoft Security Bulletin MS09-014, Cumulative Security Update for Internet Explorer (963027), and MS09-015, Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426), to address this issue.

What causes this threat?
A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user’s machine without prompting, allowing them to be executed. Safari is available as a stand-alone install or through the Apple Software Update application.

What might an attacker use this function to do?
An attacker could trick users into visiting a specially crafted Web site that could download content to a user’s machine and execute the content locally using the same permissions as the logged-on user.

Suggested Actions

  • Apply the updates in Microsoft Security Bulletin MS09-014, Cumulative Security Update for Internet Explorer (963027), and MS09-015, Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426), that apply to your environment.
  • If using Apple Safari on Windows, ensure that it is version 3.1.2 or higher. The latest Apple Safari update is available at Apple Safari Download.
  • Review the Microsoft Knowledge Base Article that is associated with this advisory.

Workarounds

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

  • Change the download location of content in Safari to a newly created directory
    1. Create a new directory, such as c:\SafariDownload.
    2. In Safari, click Edit, then point to Preferences.
    3. At the option, Save Downloaded Files to:, select the newly created directory.

Other Information

Acknowledgements:

  • Aviv Raff for working with us and reporting the blended threat of Safari and Microsoft Internet Explorer

Resources:

Disclaimer:

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (May 30, 2008): Advisory published.
  • V1.1 (June 6, 2008): Modified the steps in the workaround and added acknowledgment.
  • V1.2 (June 20, 2008): Advisory updated to provide link to related Apple security advisory.
  • V1.3 (July 2, 2008): Updated the Suggested Actions.
  • V2.0 (April 14, 2009): Added references and links to MS09-014 and MS09-015, which address the issue in this advisory.

Built at 2014-04-18T13:49:36Z-07:00