Apple released a patch for the Windows version of its Safari Web browser on Thursday, fixing four flaws including one that allows attackers to place an unlimited number of untrusted executable files on the desktop.
Apple had previously told the flaw finder that the issue, dubbed the"carpet bombing" bug security consultant Nitesh Dhanjani, would not be fixed. A second researcher, Aviv Raff, found a way to execute files on the desktop without notifying the user. Microsoft argued that the combination of the two flaws constituted a legitimate security weakness that needed to be fixed.
"To help mitigate this issue, the Safari browser has been updated to prompt the user prior to saving a download file," Apple stated in its advisory. "Also, the default download location is changed to the user's Downloads folder on Windows Vista, and to the user's Documents folder on Windows XP. This issue does not exist on systems running Mac OS X."
The company also fixed three other flaws, an information disclosure vulnerability and two remote-execution bugs.
Finding security holes in the top four browsers has become increasingly popular over the past few years. In June 2007, less than a day after Apple released the beta version of its Safari Web browser for Windows, researchers detailed numerous vulnerabilities in the program. In early 2007, VeriSign's iDefense subsidiary offered a bonus to its vulnerability bounty hunters for any critical flaws found in Internet Explorer 7. Browser makers have consistently focused on using their handling of software bugs as a measure of security.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos