Apple Safari and Microsoft Windows Client-side Code Execution Vulnerability

A vulnerability in Apple Safari on the Microsoft Windows operating system stems from a combination of security issues in Safari and all versions of Windows XP and Vista that will allow executables to be downloaded to a user's computer and run without prompting.

A vulnerability in Safari, known as the 'carpet-bombing' issue reported by Nitesh Dhanjani, allows an attacker to silently place malicious DLL files on a victim's computer. A problem in Internet Explorer, reported in December of 2006 by Aviv Raff, can then be used to run those malicious DLLs.

An attacker can exploit this issue by tricking a victim into visiting a malicious page with Safari; the malicious files will run when the victim starts Internet Explorer.


Privacy Statement
Copyright 2010, SecurityFocus