Evo, prilagam cel članek - morebiti pa še kdo k pameti pride!
Microsoft Warns of Safari "Carpet-Bombing" Flaw
by Paul Thurrott
As if Windows users didn't already have enough good reasons to avoid Apple's Safari Web browser, Microsoft this week provided another, more important one: Malicious entities can use the browser to trigger a so-called "carpet bombing" attack on users' PCs and running applications and gain control of the machines.
According to the search researcher who discovered the problem, the Safari carpet-bombing flaw is actually one of three separate security concerns he found in the browser in mid-May. Nitesh Dhanjani said he reported the flaws to Apple at that time, and Apple pledged to fix one of the other flaws he discovered but didn't think the carpet-bombing flaw was "security related."
Dhanjani disagreed. "It is possible for a rogue Web site to litter the user's desktop [with executable applications]," Dhanjani wrote in a blog post describing the flaw. "This can happen because the Safari browser cannot be configured to obtain the user's permission before it downloads a resource. Safari downloads the resource without the user's consent and places it in a default location. The implication of this is obvious: malware downloaded to the user's desktop without the user's consent."
Apple's response to Dhanjani suggests that the company isn't interested in tackling this problem anytime soon. "We can file that as an enhancement request for the Safari team," Apple told him. "Please note that we are not treating this as a security issue but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated."
On Friday, Microsoft announced that it was taking the flaw more seriously because it's a "blended threat" that combines a Safari flaw with the way the Windows desktop handles executables. "Microsoft will take the appropriate measures to protect our customers," a Microsoft security advisory reads. "This may include providing a solution through a service pack, the monthly update process, or an out-of-cycle security update, depending on customers' needs."
Microsoft recommends a workaround while it works on a solution: Reconfigure the default location to which Safari downloads content to the local drive, as doing so will prevent the flaw from being exploited. I have a more elegant solution: Simply avoid Safari altogether and use a browser that's written by developers who better understand the security nuances of Windows. I recommend Mozilla Firefox, but Internet Explorer (IE) 7.0 is also acceptable.
