Also note Microsoft Security Advisory 953818 Combined Attack With Apple’s Safari on Windows Platform. Best practice is not to download files to the desktop. Instead, create a folder for your downloads and save them there. Organization is much easier that way and your desktop is both cleaner and your computer safer.
"Over the last weekend, a security researcher released proof of concept code that exploits this "feature" in Safari with another "feature" in Windows (yeah, a lot of "features" working together = a vulnerability).
The two "features" we're talking about here are these:
- In some cases, Internet Explorer will load DLLs from Desktop. This is an old "feature" that has been known since December 2006. It also works, as far as I'm aware, only with Internet Explorer 7 (and probably 8 beta) on Windows XP. My tests failed on Vista.
- Safari for Windows will, by default, save files on Desktop. This would not normally be a problem, but Safari does that without any prompts to the user (Firefox does the same, for example, but prompts the user before saving the file)."
Thursday, June 12, 2008
Safari on Windows - not looking good
If your preference is the Safari browser, please note the SANS report, indicating