More Security Issues for Apple Safari Browser on Windows

According to a well-known security researcher Nitesh Dhanjani, Apple’s Safari browser doesn’t bother to ask for user permission before downloading potentially dangerous resources from the internet. Dhanjani communicated 3 security issues to Apple of which Apple agreed to fix only one.

Issue #1. It is possible for a rogue website to litter the user’s Desktop (Windows) or Downloads directory (~/Downloads/ in OSX) with “Safari Carpet Bomb” without the user’s consent, because the Safari browser is not configured to obtain the user’s permission before it downloads a resource.

Issue #2.Safari browser does not warn users when a local resource, such as an HTML file, attempts to invoke client side scripting. Dhanjani points that the issue is “more of a feature set request than a vulnerability,” but nevertheless - “Sandbox not Applied to Local Resources” is still an important security feature because many users associate risks of clicking on a HTML file to be lower.

Issue #3.Dhanjani refused to demonstrate the specifics of this vulnerability, but he said it is a high risk vulnerability in Safari browser “that can be used to remotely steal local files from the user’s system.” He will post an update on the undisclosed issue if he hears back from Apple security team again. You can follow up on this story at Nitesh Dhanjani blog.

Use of Safari  on Windows has tripled since mid-March, when Apple  pushed it out for distribution via its Software Update service. Apple promoted Safari browser installation via iTunes updater, but ended the unsuspecting promotion on April 18 with the latest version of the Software Update tool for Windows, clearly stating what users are downloading.