Monday, June 02, 2008

Internet Explorer Flaw Plus Safari Equals Trouble

An undisclosed vulnerability in Internet Explorer, combined with exploiting Safari for Windows' ability to download files without being prompted, apparently allows the bad guys to take over Windows. This affects XP, Vista and IE versions 6 and 7. The unnamed Internet Explorer bug has been around for awhile. Combined with the Windows version of Safari, where files can be downloaded without an option to prompt before doing so, the flaw can be used to take over Windows, reports Aviv Raff.

The flaw in Internet Explorer uses the calculator program in conjunction with Safari for Windows to make two moderate vulnerabilities into a critical one. Microsoft has issued a bulletin, but it doesn't really say too much. Even if Microsoft patches IE, there's still Safari's "carpet bomb" issue that can allow unwanted downloads. Right now, Apple doesn't appear to want to fix this. Simply adding the option to prompt for all downloads before doing the download would help prevent this. Stopbadware wrote on their blog to urge Apple to do so.

You have to visit a specially crafted web page for this exploit to work. So it is not an all out fiasco. So far, there is not a known use of this problem. Right now, the only guaranteed fix to prevent this is to uninstall Safari for Windows. This may not be a bad idea, since there could be more bugs like this that can be exploited in Safari for Windows, said Raff in an interview with Macworld.