... its got to be!

Everyone knows Apple doesn't produce buggy software with security holes. Praise the mighty Jobs and his Mactards.

Big inaccuracy in the software Safari is far from mainstream in its use, but it was snuck onto millions of computers by deceptive stealth! Most people still believe Safari is a trip to Africa where you see lions and tigers and elephants.

"And before any Mac users decide this is an issue they can safely ignore, remember this: While Microsoft's recommendation obviously is limited to Windows users, Dhanjani says the carpet bombing scenario can play out on OS X, too."

After downloading, it ask YOU if you want to open or load it. Being a Mac user, I'll safely ignore it - meaning read the little pop-up and reject it.

It's funny how the same browser does not have the same problems on OSX and the more complete Konqueror does not do the same on GNU/Linux systems. Same code, different OS, where could the problem be?! Thanks for the FUD, M$, but security is not your strong point. The more of these problems they point out, the faster users will run for the exits.

That's right AC, blame M$. So what you're saying is that Steve Jobs put this in on purpose, so that more people would migrate from Windows to Macs? Sorry, not going to happen.

I love Bill Gates, being an IT guy he's given me a nice standard of living - not sure I'd get the same from Macs.

Blatantly anti i...anything.

"A TIGER??.... in Africa, sir? "....

I d say you were pulling my leg, only someone seems to have made off with it.

Read the article. This exploit works on Safari OSX as well.

Granted, on OSX any executable downloaded this way will be marked with an attribute which will warn you before letting you execute it... but Windows supports such a flag too. Safari just doesn't set it in Windows. No, this is Apple's fault.

Safari is the least secure browser in common usage in the world (see: Pwn2Own competition). Apple clearly doesn't take security seriously, what with outright ignoring threats like this, and suing other security researchers. Granted MS and others used to do that too, a long time ago, but they, and most observers, learned from the mistakes of that era.

I guess it's time for a tar&feathers facial job* to be applied to mr.jobsie-jobs.

It should prevent him from filling the world with cute, wiggly, big-and-watery-eyes crapware.

* think of it like some sort of martha-stewart-job applied to the king of metrosexuals.

I guess they had to recommend not using Safari since the only alternative was to recommend not using Windows, which, of course, would be the better choice. Actually, grats to Apple for exposing yet another Windows security hole.

If an independent source proves this vulnerability is the case then we need to take notice. As much as I dislike M$ not everything is FUD. Trouble now is that we've had to deal with so much &#%$ FUD that the situation is primed for a disaster if this one just happens to be for real. Better to be safe than sorry.

MS is doing the right thing (although I wouldn't doubt with a small degree of pleasure in this instance).

AC I don't agree that it's MS's fault because the vuln isn't present on other platforms. It's for the application developers to ensure compatibility and security for their app and how it interacts with the OS and clearly here they missed the mark.

"And before any Mac users decide this is an issue they can safely ignore, remember this: While Microsoft's recommendation obviously is limited to Windows users, Dhanjani says the carpet bombing scenario can play out on OS X, too."

Its odd but by browser is showing that bit of text at the end of the story. I'm running IE, so it would seem that your non MS browser is either not able to display it or you're too bust frothing at the mouth to read the whole article!

"It's funny how the same browser does not have the same problems on OSX"

Did you actually read the article? Specifically, this bit;

"And before any Mac users decide this is an issue they can safely ignore, remember this: While Microsoft's recommendation obviously is limited to Windows users, Dhanjani says the carpet bombing scenario can play out on OS X, too."

Blame Microsoft for a problem with Apple??! How is it a Microsoft problem?

Apple wrote Safari no matter which OS it is on. Apple set it to automatically download. Apple apparently can't be bothered to fix the security hole.

I'm not a big fan of Microsoft, but I really can't see how they be blamed (this time)

It's funny how the same browser does not have the same problems on OSX.

Actually it does.

"Most people still believe Safari is a trip to Africa where you see lions and tigers and elephants."

People will be sorely disappointed if they expect to see tigers on an African safari...

Mine's the leopard-skin one with the Thomsons gazelle in the pocket.

This wouldn't have been so bad, had most of the users that has safari installed on their windows machines actually CHOSEN to install it, instead of it being stealth-installed (same way iTunes gets installed if you are stupid enough to install QT!)

In this case Apple should be rightfully flamed.

//Svein

Ohh, a troll who did not read the last few lines before posting "Crimosoft Bad, OSX Good", unless he committed an ID 10 T error.

"And before any Mac users decide this is an issue they can safely ignore, remember this: While Microsoft's recommendation obviously is limited to Windows users, Dhanjani says the carpet bombing scenario can play out on OS X, too."

... meet the real Mr Black.

Since when have Apple EVER written software for Windows that does along with documented best pratice? Have you seen the Bonjour service? The one Apple call "##Id_String2.6844F930_1628_4223_B5CC_5BB94B879762##" and you don't even know it's installed with no description or uninstaller? What about the iTunes interface? Not to useful bit, but the disregard to use the currently set Windows theme.

The fact that Safari doesn't use security measures that Windows provides to secure a desktop should come as no suprise when refering to Apple "developers".

Safari had a problem like this on the Mac too.

If the file extension was one of the ones Safari would normally download without asking the file would be downloaded even if the file type specified in the file (this is seperate from the extension on OSX) meant it was executable. When Safari then tried to open the file the OS would do what the type was, not the extension. This meant a file with a .mov extension could actually be an executable.

That took some time to be fixed too if I recall.

I agree with MS here. No browser should ever download anything without my permission - if I want it I will ask for it, otherwise I don't want it.

I don't think this would be a big issue for the stereotypical register reader, but there are users out there, Windows and MacOS alike, whos first reaction when presented with a shiny new file on their desktop would be to open it.

For a windows user double clicking it will run whatever is in that file, be it a trojan or one of those 'codec' files that certain websites want you to download to 'access' their content. Or possibly the new Indiana Jones trailer that your kid downloaded last night.

For a MacOS user the computer would ask them first if they would really want to open a file that came from the internet? after saying "yes, of course, how else am I going to find out what this shiny new file is?" the user will then execute trojan/'codec'/ Indiana Jones trailer (possibly in qt format).

On the bright side (at least for MacOs users) most of said trojans would proably be written with win32 in mind... so at least they'd (probably) just end up with being confused as to why their file wouldn't open. Unless they're unlucky enough to run bootcamp of course ;o) (that is, unless some crafty people see this as the perfect opportunity to get some malware onto Mac computers.. Does anyone know if safari identifies if it is a win/mac version?)

Safari Update might be in order. On both platforms.

Firstly, OSX doesn't tend to run the often malware infested .exe files. So having one or 1,000,000,000 of them on your desktop isn't an issue. Even if such a file could be run on the poor thing, it's not likely to be able to do much damage.

Secondly.. Have you ever seen an OSX users desktop? They seem to stick every single file they come across on the desktop! Literally thousands apon thousands of files. All their music, all their apps and associated files, all their videos, all their pictures, all their porn, all their documents. Not in individual folders, no. All of it on the desktop!

Every single Mac desktop I've seen has been like this.

So it wouldn't matter if they get hit by this bug, because they won't have a hope of noticing a few extra thousands files on their desktops!

So yes, Mac users are perfectly safe from this threat.

Derek -- You clearly have not had the required minimum exposure to Monty Python. Please refrain from visiting tech sites until you have spent at least 96 hours (preferably in a row) absorbing their work. Their treatise on tigers in Africa is an absolute necessity in the modern world of IT. You may also find the BBC's seminal 4-volume treatise on the history of the Black Adder and the collected works of Dougals Adams greatly enrich your experience of the Register and sites like it.

I hate the way Apple is all lauded and they couldn't possibly do anything wrong. Apple's business practices are even worse than MS's

"I have a certain distrust of a browser that's knitted into the OS"

Well, the icon says it all :)

It's a minor issue compared to a number of others that ALL browsers on Windows have. If Microsoft is serious about security then they need to:

1. Immediately transition away from ActiveX, with as short a timeframe as possible.

2. Replace ShellExecute() with something similar to UNIX's exec(). They already HAVE the code, in the POSIX subsystem.

3. Eliminate "security zones" as a security model - there must be no circumstance in which the location of an object named in a web page automatically grants it privileges.

4. Provide an alternate API for browsers to use to find and run helper applications that is not based on the desktop helper application bindings.

All four of these are far bigger problems than having files downloaded without a prompt. Not only do they all provide paths to direct execution of untrusted code without user interaction, but they have all BEEN used for that purpose hundreds of times over the past decade.

I am not sure it's possible to implement a really secure browser on Windows without completely bypassing all of Microsoft's recommended APIs.

"After downloading, it ask YOU if you want to open or load it. Being a Mac user, I'll safely ignore it - meaning read the little pop-up and reject it."

The only problem is, that most people aren't that clever. If your browser asks those questions for every file downloaded (remember the "carpet bombing" reference in the article?), then eventually, less experienced users will be coaxed into clicking "yes, I want to execute this file!" in a desperate attempt of making the question go away.

Wait a second..... don't you mean IE7?

Because that describes it perfectly.

Morons...

It's a little pointless to criticise Microsoft for releasing a security advisory when they are correct. That they wouldn't release a security advisory detailing the bugs in various other commercial products that run on Windows, a well-known PDF-reader for example, just shows that they're taking the opportunity to get a dig in at a rival too, something Steve Jobs can't really complain about as he's done it himself countless times.

It would be nice btw, to see just one Apple-related post where all people who can't afford a Mac didn't take the opportunity to vent their bitterness over the fact. I am a long-standing (14-years) Linux user, and a more recent Mac user (2 years), but I don't see the need to flame Windows users every chance I get.

Flame because I'm sure I will be.

Sounds to me like both MS and Apple are guilty of a design philosophy that has tiresomely demonstrated, over and over, its capacity to fubar almost any machine. To wit, doing the user favors he didn't ask for. We might call this the "oh you poor dear, here, let me give you a hand" philosophy. An everyday example is the Boy Scout who forcibly drags an old lady across the street when all she was doing was checking out the shirtless dudes on the construction site there.

Specific admonishments:

Don't auto-download anything unless the browser is going to render it.

Don't execute anything without the user explicitly asking for execution.

Don't install software on the sly. [This one is mere sneakiness, not a bumptious attempt to make your machine "user friendly."]

Don't design your systems for the clueless. The clueless are cluelesser than you can possibly imagine, so the only viable strategy is to assume a reasonable level of intelligence. [See footnote]

Don't, ever, *guess* anything. When you guess, no matter how clever you are, you *will* guess wrong a considerable amount of the time.

Don't, ever, try to guess what the user meant when he input wrong data. If it's wrong, it's wrong, just beep and say "error", and if Joe & Josephine Drooler-Sixpack don't understand, well, tough. As regards the internet in particular, it wasn't designed for idiots, it's not idiot proof, and don't try to fake idiot-proofness.

I leave it as a class exercise to determine which company, Apple or MS, is more often guilty of this class of design error.

I remember the good old days of Windows 3.1, that (iirc) didn't do you any favors at all. Ubuntu Linux also seems to be free of this mistaken idea.

IT? icon because it's simply good manners to refrain from imposing unasked-for favors on others, not just an IT issue. They don't appreciate it, and doing so implies you think you know someone else's business (or how they want to lead their life) better than they do—an extremely patronizing attitude. Miss Manners (tm) will back me up on this.

Footnote: since half the population has an IQ 100 or below, by definition, where does that leave us?

There must be a dozen people all shouting "Safari on OSX downloads files too" but I've never heard an OSX user complain about it. What's really funny though is that M$ is admitting an all too common remote execution problem Windoze has will wreck your machine. An OS that allows people to remotely execute code has more serious issues than brain dead dialogs.

When I tried a booby trapped page with Konqueror, I got a "save this to disk" dialog from KDE. On Windoze, that dialog would come from the OS, so there's not much Apple can do about it. I'd say this was intentional sabotage followed by FUD, a typical M$ action. Sorry fanboys, M$ has zero credibility and everyone is better off without Windows.

For it to be a security threat doesn't someone actually have to use this browser? I see no threat here what-so-ever.

I don't understand the rampant fanboyism in these comments... Microsoft admitted it was a flaw in the way it's operating system handles executables, and said that combined with Safari's fantastic idea to dump crap on the user desktop by default there was a security risk.

It's that simple... It's not Microsuck, Crimnosoft, M$ Dross, Appletard, Mactard, iDiots or Hippy-blood-sucking-creative-leeches-who-need-to-get-a-real-job. Pure and simply a shoddy design decision on Safari's part, coupled with a long term mishandling of executables on Windows' side.

Still No reason why a browser should ever be putting unwanted files onto my desktop, and sheer arrogance on Apple's part in thinking it's not an important change to make.

This is rather disingenuous, while Safari on OSX will allow mass downloads the files won't litter your desktop and executables wont be launched automatically, making this problem little more than an unlikely annoyance. Even if by some miracle an executable was launched automatically, OSX issues a prompt the first time an untrusted executable is launched.

I would imagine that UAC in Vista does the same kind of thing, preventing this from becoming even a minor security issue.

Assuming the unexpected happens, cleaning up from a mass download is incredibly easy. Any reasonably computer literate person should be able to remove every file (even if there are millions of them) with a single command from the finder, from the terminal, or from automator.

Windows users should be able to clean up just as easily from the command line so seriously, what's the issue here? Microsofts comments reek of anti-competitive bullshit :(.