back to article Microsoft urges Windows users to shun 'carpet bombing' Safari

Microsoft's security team is advising users to stop using Apple's Safari browser pending investigation into a quirk that allows miscreants to litter their desktop with hundreds of executable files. Windows users who visit a booby-trapped site with Safari could be forced to download and execute malicious files with no prompting …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Thumb Down

    FUD

    ... its got to be!

    Everyone knows Apple doesn't produce buggy software with security holes. Praise the mighty Jobs and his Mactards.

    Big inaccuracy in the software Safari is far from mainstream in its use, but it was snuck onto millions of computers by deceptive stealth! Most people still believe Safari is a trip to Africa where you see lions and tigers and elephants.

  2. Chris C

    Typical Microsoft -- security advisory with no details

    I'm in the uncomfortable position of agreeing with Microsoft on this issue. If a browser (any browser) allows a website to randomly download files without the user's explicit permission, regardless of the location, it is a security issue in my opinion. Having said that, I take issue with Microsoft's security advisory. The only thing they say is:

    "What causes this threat?

    A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user’s machine without prompting, allowing them to be executed."

    OK, but how about telling us the how or why? Since it is a direct contributor which causes the blended threat, I don't think it's asking too much to want to know exactly "how the Windows desktop handles executables" and how that contributes to the threat.

  3. Player_16
    Flame

    Not entirely... if at all!

    "And before any Mac users decide this is an issue they can safely ignore, remember this: While Microsoft's recommendation obviously is limited to Windows users, Dhanjani says the carpet bombing scenario can play out on OS X, too."

    After downloading, it ask YOU if you want to open or load it. Being a Mac user, I'll safely ignore it - meaning read the little pop-up and reject it.

  4. Anonymous Coward
    Thumb Down

    Apple, GNU/Linux? No? Blame M$.

    It's funny how the same browser does not have the same problems on OSX and the more complete Konqueror does not do the same on GNU/Linux systems. Same code, different OS, where could the problem be?! Thanks for the FUD, M$, but security is not your strong point. The more of these problems they point out, the faster users will run for the exits.

  5. Anonymous Coward
    Anonymous Coward

    So where were Microsoft all this time...

    When their own products were found to have exploits using flaws of Biblical proportions? No one saw them saying, "Use Java" or anything when ActiveX and IE screwed up.

  6. Tony Paulazzo
    Jobs Horns

    Kill the iTards... (only joking)

    That's right AC, blame M$. So what you're saying is that Steve Jobs put this in on purpose, so that more people would migrate from Windows to Macs? Sorry, not going to happen.

    I love Bill Gates, being an IT guy he's given me a nice standard of living - not sure I'd get the same from Macs.

    Blatantly anti i...anything.

  7. Michael
    Joke

    @FUD

    "A TIGER??.... in Africa, sir? "....

    I d say you were pulling my leg, only someone seems to have made off with it.

  8. Adam Azarchs
    Stop

    Re: Apple, GNU/Linux? No? Blame M$.

    Read the article. This exploit works on Safari OSX as well.

    Granted, on OSX any executable downloaded this way will be marked with an attribute which will warn you before letting you execute it... but Windows supports such a flag too. Safari just doesn't set it in Windows. No, this is Apple's fault.

    Safari is the least secure browser in common usage in the world (see: Pwn2Own competition). Apple clearly doesn't take security seriously, what with outright ignoring threats like this, and suing other security researchers. Granted MS and others used to do that too, a long time ago, but they, and most observers, learned from the mistakes of that era.

  9. vincent himpe

    Crap(ple)

    another gold plated turd ...

  10. kain preacher

    @Anonymous Coward

    It's funny how the same browser does not have the same problems on OSX and the more complete Konqueror does not do the same on GNU/Linux systems. Same code, different OS, where could the problem be?! Thanks for the FUD, M$, but security is not your strong point. The more of these problems they point out, the faster users will run for the exits.

    really then how come IE and fire fox asks ??

  11. Anonymous Coward
    Jobs Halo

    It's rare, but I'll take heed to what Mikroshaft says.

    I guess it's time for a tar&feathers facial job* to be applied to mr.jobsie-jobs.

    It should prevent him from filling the world with cute, wiggly, big-and-watery-eyes crapware.

    * think of it like some sort of martha-stewart-job applied to the king of metrosexuals.

  12. Robert
    Thumb Down

    Bad little borg

    I guess they had to recommend not using Safari since the only alternative was to recommend not using Windows, which, of course, would be the better choice. Actually, grats to Apple for exposing yet another Windows security hole.

  13. tempemeaty
    Alert

    To FUD or not to FUD...

    If an independent source proves this vulnerability is the case then we need to take notice. As much as I dislike M$ not everything is FUD. Trouble now is that we've had to deal with so much &#%$ FUD that the situation is primed for a disaster if this one just happens to be for real. Better to be safe than sorry.

  14. Nic
    Thumb Up

    @AC and others

    MS is doing the right thing (although I wouldn't doubt with a small degree of pleasure in this instance).

    AC I don't agree that it's MS's fault because the vuln isn't present on other platforms. It's for the application developers to ensure compatibility and security for their app and how it interacts with the OS and clearly here they missed the mark.

  15. FathomsDown
    Paris Hilton

    @AC RE: Blame M$

    "And before any Mac users decide this is an issue they can safely ignore, remember this: While Microsoft's recommendation obviously is limited to Windows users, Dhanjani says the carpet bombing scenario can play out on OS X, too."

    Its odd but by browser is showing that bit of text at the end of the story. I'm running IE, so it would seem that your non MS browser is either not able to display it or you're too bust frothing at the mouth to read the whole article!

  16. anarchic-teapot

    @Player_16

    It downloads something onto your computer whether you want it or not, but asks your permission before opeining the file? So that's all right then.

    (Yes I have used Macs. No; I wouldn't use Safari on a Mac either. I have this strange unexplainable distrust of any web browser knitted into the operating system)

  17. Anonymous Coward
    Alert

    Er...

    "It's funny how the same browser does not have the same problems on OSX"

    Did you actually read the article? Specifically, this bit;

    "And before any Mac users decide this is an issue they can safely ignore, remember this: While Microsoft's recommendation obviously is limited to Windows users, Dhanjani says the carpet bombing scenario can play out on OS X, too."

  18. Anonymous Coward
    Anonymous Coward

    RE: Apple, GNU/Linux? No? Blame M$.

    "And before any Mac users decide this is an issue they can safely ignore, remember this: While Microsoft's recommendation obviously is limited to Windows users, Dhanjani says the carpet bombing scenario can play out on OS X, too."

  19. Ben
    Jobs Horns

    Amazing

    Blame Microsoft for a problem with Apple??! How is it a Microsoft problem?

    Apple wrote Safari no matter which OS it is on. Apple set it to automatically download. Apple apparently can't be bothered to fix the security hole.

    I'm not a big fan of Microsoft, but I really can't see how they be blamed (this time)

  20. Derek Hellam

    Safari RE Fud

    This is just so funny, Microsoft a wee bit worried ? btw the only Tigers you find in Africa would be in Zoos. Tigers come from the Asian Areas, you Know, India, Russia, over that corner of the globe?

  21. kosmos
    Thumb Up

    Blame Apple

    It's funny how the same browser does not have the same problems on OSX.

    Actually it does.

  22. Anonymous Coward
    Coat

    @AC

    "Most people still believe Safari is a trip to Africa where you see lions and tigers and elephants."

    People will be sorely disappointed if they expect to see tigers on an African safari...

    Mine's the leopard-skin one with the Thomsons gazelle in the pocket.

  23. Svein Skogen
    Jobs Horns

    This wouldn't have been so bad

    This wouldn't have been so bad, had most of the users that has safari installed on their windows machines actually CHOSEN to install it, instead of it being stealth-installed (same way iTunes gets installed if you are stupid enough to install QT!)

    In this case Apple should be rightfully flamed.

    //Svein

  24. Leo Davidson

    Re: Apple, GNU/Linux? No? Blame M$.

    Anonymous Moron, more like.

    How is it anyone's fault but Apple's if their web browser allows exe files (or any files for that matter) to be downloaded to the local disk without so much as a prompt? Allowing a site to drop one exe file on to a machine is a mistake since people may later think it's something else and run it. It also lets sites do this as many times as they want (the "carpet bombing" described in the article) which would certainly create a nuisance. I don't see how on earth you can blame Microsoft for that.

    What are are Microsoft supposed to do, add extra prompts at the OS level whenever programs written by Apple's awful Windows software team attempt to write to the filesystem? (Actually, that might be a good idea. I just discovered that iTunes left every 50MB iPod firmware update I've ever downloaded in my *roaming* profile. Apple should be banned from writing Windows software at this point, with their track record, and I haven't even begun to describe the problems with Quicktime and iTunes.)

    And did you not read the last paragraph of the article which says the issue affects OS X as well? "Dhanjani says the carpet bombing scenario can play out on OS X, too."

    Finally, please, for the funking love of god, stop it with the overused and unorigianl "M$" cliche. It's soooo original. It makes you look sooooo clever and cool.

  25. daniel
    Flame

    @AC / Apple, GNU/Linux? No? Blame M$

    Ohh, a troll who did not read the last few lines before posting "Crimosoft Bad, OSX Good", unless he committed an ID 10 T error.

    "And before any Mac users decide this is an issue they can safely ignore, remember this: While Microsoft's recommendation obviously is limited to Windows users, Dhanjani says the carpet bombing scenario can play out on OS X, too."

  26. Anonymous Coward
    Gates Horns

    Mr Pot, Mr Kettle...

    ... meet the real Mr Black.

  27. Steven Hewittt
    Jobs Horns

    Is this a suprise..?

    Since when have Apple EVER written software for Windows that does along with documented best pratice? Have you seen the Bonjour service? The one Apple call "##Id_String2.6844F930_1628_4223_B5CC_5BB94B879762##" and you don't even know it's installed with no description or uninstaller? What about the iTunes interface? Not to useful bit, but the disregard to use the currently set Windows theme.

    The fact that Safari doesn't use security measures that Windows provides to secure a desktop should come as no suprise when refering to Apple "developers".

  28. Anonymous Coward
    Alert

    Safari

    Safari had a problem like this on the Mac too.

    If the file extension was one of the ones Safari would normally download without asking the file would be downloaded even if the file type specified in the file (this is seperate from the extension on OSX) meant it was executable. When Safari then tried to open the file the OS would do what the type was, not the extension. This meant a file with a .mov extension could actually be an executable.

    That took some time to be fixed too if I recall.

    I agree with MS here. No browser should ever download anything without my permission - if I want it I will ask for it, otherwise I don't want it.

  29. This post has been deleted by its author

  30. This post has been deleted by its author

  31. David
    Linux

    Of course OSX users can ignore it!

    Firstly, OSX doesn't tend to run the often malware infested .exe files. So having one or 1,000,000,000 of them on your desktop isn't an issue. Even if such a file could be run on the poor thing, it's not likely to be able to do much damage.

    Secondly.. Have you ever seen an OSX users desktop? They seem to stick every single file they come across on the desktop! Literally thousands apon thousands of files. All their music, all their apps and associated files, all their videos, all their pictures, all their porn, all their documents. Not in individual folders, no. All of it on the desktop!

    Every single Mac desktop I've seen has been like this.

    So it wouldn't matter if they get hit by this bug, because they won't have a hope of noticing a few extra thousands files on their desktops!

    So yes, Mac users are perfectly safe from this threat.

  32. Anonymous Coward
    Anonymous Coward

    Huh?

    Someone uses Safari on Windows? I thought it was only idiots and people who didn't know better than to untick it when downloading Quicktime or iTunes?

    Surprise surprise some more crap from Apple, rotten to the core.

  33. Steven Knox
    Boffin

    Standards Compliance

    Derek -- You clearly have not had the required minimum exposure to Monty Python. Please refrain from visiting tech sites until you have spent at least 96 hours (preferably in a row) absorbing their work. Their treatise on tigers in Africa is an absolute necessity in the modern world of IT. You may also find the BBC's seminal 4-volume treatise on the history of the Black Adder and the collected works of Dougals Adams greatly enrich your experience of the Register and sites like it.

  34. KenBW2
    Linux

    M$? Nah, Apple are worse

    I hate the way Apple is all lauded and they couldn't possibly do anything wrong. Apple's business practices are even worse than MS's

    "I have a certain distrust of a browser that's knitted into the OS"

    Well, the icon says it all :)

  35. Peter da Silva
    Thumb Down

    Microsoft needs to get their own house in order

    It's a minor issue compared to a number of others that ALL browsers on Windows have. If Microsoft is serious about security then they need to:

    1. Immediately transition away from ActiveX, with as short a timeframe as possible.

    2. Replace ShellExecute() with something similar to UNIX's exec(). They already HAVE the code, in the POSIX subsystem.

    3. Eliminate "security zones" as a security model - there must be no circumstance in which the location of an object named in a web page automatically grants it privileges.

    4. Provide an alternate API for browsers to use to find and run helper applications that is not based on the desktop helper application bindings.

    All four of these are far bigger problems than having files downloaded without a prompt. Not only do they all provide paths to direct execution of untrusted code without user interaction, but they have all BEEN used for that purpose hundreds of times over the past decade.

    I am not sure it's possible to implement a really secure browser on Windows without completely bypassing all of Microsoft's recommended APIs.

  36. Anonymous Coward
    Anonymous Coward

    yet more evidence ..

    Yet more evidence of Microsofts click and install INNOVA~1 .. :)

  37. Anonymous Coward
    Anonymous Coward

    Dhanjani says ..

    "Dhanjani says the carpet bombing scenario can play out on OS X, too"

    OK, what executables can run from the users Desktop and permanently alter system files.

  38. Rune Moberg
    Thumb Down

    Mac users

    "After downloading, it ask YOU if you want to open or load it. Being a Mac user, I'll safely ignore it - meaning read the little pop-up and reject it."

    The only problem is, that most people aren't that clever. If your browser asks those questions for every file downloaded (remember the "carpet bombing" reference in the article?), then eventually, less experienced users will be coaxed into clicking "yes, I want to execute this file!" in a desperate attempt of making the question go away.

  39. Matthew Sinclair
    Thumb Down

    LOL

    Wait a second..... don't you mean IE7?

    Because that describes it perfectly.

    Morons...

  40. Ruairi Newman
    Flame

    Pissing contest

    It's a little pointless to criticise Microsoft for releasing a security advisory when they are correct. That they wouldn't release a security advisory detailing the bugs in various other commercial products that run on Windows, a well-known PDF-reader for example, just shows that they're taking the opportunity to get a dig in at a rival too, something Steve Jobs can't really complain about as he's done it himself countless times.

    It would be nice btw, to see just one Apple-related post where all people who can't afford a Mac didn't take the opportunity to vent their bitterness over the fact. I am a long-standing (14-years) Linux user, and a more recent Mac user (2 years), but I don't see the need to flame Windows users every chance I get.

    Flame because I'm sure I will be.

  41. RW
    IT Angle

    Kettle, Pot, Black: yes

    Sounds to me like both MS and Apple are guilty of a design philosophy that has tiresomely demonstrated, over and over, its capacity to fubar almost any machine. To wit, doing the user favors he didn't ask for. We might call this the "oh you poor dear, here, let me give you a hand" philosophy. An everyday example is the Boy Scout who forcibly drags an old lady across the street when all she was doing was checking out the shirtless dudes on the construction site there.

    Specific admonishments:

    Don't auto-download anything unless the browser is going to render it.

    Don't execute anything without the user explicitly asking for execution.

    Don't install software on the sly. [This one is mere sneakiness, not a bumptious attempt to make your machine "user friendly."]

    Don't design your systems for the clueless. The clueless are cluelesser than you can possibly imagine, so the only viable strategy is to assume a reasonable level of intelligence. [See footnote]

    Don't, ever, *guess* anything. When you guess, no matter how clever you are, you *will* guess wrong a considerable amount of the time.

    Don't, ever, try to guess what the user meant when he input wrong data. If it's wrong, it's wrong, just beep and say "error", and if Joe & Josephine Drooler-Sixpack don't understand, well, tough. As regards the internet in particular, it wasn't designed for idiots, it's not idiot proof, and don't try to fake idiot-proofness.

    I leave it as a class exercise to determine which company, Apple or MS, is more often guilty of this class of design error.

    I remember the good old days of Windows 3.1, that (iirc) didn't do you any favors at all. Ubuntu Linux also seems to be free of this mistaken idea.

    IT? icon because it's simply good manners to refrain from imposing unasked-for favors on others, not just an IT issue. They don't appreciate it, and doing so implies you think you know someone else's business (or how they want to lead their life) better than they do—an extremely patronizing attitude. Miss Manners (tm) will back me up on this.

    Footnote: since half the population has an IQ 100 or below, by definition, where does that leave us?

  42. Anonymous Coward
    Happy

    Ha ha, look at the Stupid and Angry Microtards.

    There must be a dozen people all shouting "Safari on OSX downloads files too" but I've never heard an OSX user complain about it. What's really funny though is that M$ is admitting an all too common remote execution problem Windoze has will wreck your machine. An OS that allows people to remotely execute code has more serious issues than brain dead dialogs.

    When I tried a booby trapped page with Konqueror, I got a "save this to disk" dialog from KDE. On Windoze, that dialog would come from the OS, so there's not much Apple can do about it. I'd say this was intentional sabotage followed by FUD, a typical M$ action. Sorry fanboys, M$ has zero credibility and everyone is better off without Windows.

  43. SpitefulGOD
    Gates Halo

    No threat!!!!!

    For it to be a security threat doesn't someone actually have to use this browser? I see no threat here what-so-ever.

  44. Dougle

    MS rather than apple

    It would seem to suggest that apple cannot fix or overt an OS vulnerability, i'll be very interested to see how quick MS take to fix this and get people back using a browser other than IE

  45. Anonymous Coward
    Flame

    Dive in!

    I don't understand the rampant fanboyism in these comments... Microsoft admitted it was a flaw in the way it's operating system handles executables, and said that combined with Safari's fantastic idea to dump crap on the user desktop by default there was a security risk.

    It's that simple... It's not Microsuck, Crimnosoft, M$ Dross, Appletard, Mactard, iDiots or Hippy-blood-sucking-creative-leeches-who-need-to-get-a-real-job. Pure and simply a shoddy design decision on Safari's part, coupled with a long term mishandling of executables on Windows' side.

    Still No reason why a browser should ever be putting unwanted files onto my desktop, and sheer arrogance on Apple's part in thinking it's not an important change to make.

  46. Mark Lee Smith
    Flame

    Over emphasis.

    This is rather disingenuous, while Safari on OSX will allow mass downloads the files won't litter your desktop and executables wont be launched automatically, making this problem little more than an unlikely annoyance. Even if by some miracle an executable was launched automatically, OSX issues a prompt the first time an untrusted executable is launched.

    I would imagine that UAC in Vista does the same kind of thing, preventing this from becoming even a minor security issue.

    Assuming the unexpected happens, cleaning up from a mass download is incredibly easy. Any reasonably computer literate person should be able to remove every file (even if there are millions of them) with a single command from the finder, from the terminal, or from automator.

    Windows users should be able to clean up just as easily from the command line so seriously, what's the issue here? Microsofts comments reek of anti-competitive bullshit :(.

  47. benito darder oliver

    there is bigger problem in the way safari works

    because it starts to download, and doesn't ask what to do until the end... i think that's the real problem, and from this everything can only get worse...

  48. Martin Usher

    Desktop Handles Files???

    Its a directory. It shouldn't be any different from any other directory except that stuff in it gets displayed as icons on the desktop (i.e. the thing that builds the desktop uses the stuff in it as input data).

    What they're saying is that they still haven't got out of the habit of believing the file extension...if some random piece of data turns up with the right file extension turns up then they've got to execute it, regardless. RW's rules of the road ("Kettle, Pot Black?") above should be mandatory for any computer but, of course, it will "spoil the user experience" (or should I say "reduce the opportunities our clients have to push stuff at the poor sucker of a consumer"?). He's right, as well. Using Linux for web browsing is really boring. No fuss, no excitement -- you just get web pages.

  49. Mark Lee Smith

    Downloads Window

    When a download starts in Safari the 'Downloads' window appears. If you want to prevent a download all you have to do is click.

    This would be impractical with a hundred downloads, but so would a hundred prompts. Likewise, approving downloads one at a time isn’t ideal when you want to download a lot of files.

    I’d like to see Apple add a delay before the download starts to give users more time to respond. A cancel/prevent all button would also be fun.

    In the end all Apple really needs to do is change the default download location and this problem becomes a non-issue. Microsofts claims seem to center around the fact that the files end up on the desktop.

    All in all I think this is rather ridiculous in the light that the user is made well aware of the downloads and can easily stop them. This certainly wont stop me from using Safari or Webkit in general on Windows.

    On a side-note, there are a number of download managers that take over from Safaris ‘Downloads’ window on OSX. It’s not unreasonable to think this could prevent mass downloads.

  50. DavidCraig

    Seperating the truth from the FUD

    From the article:

    "Windows users who visit a booby-trapped site with Safari could be forced to download..." (TRUE), "and execute..." (FUD), "malicious files with no prompting..." (TRUE, on windows), "Microsoft says".

    Details on the actual vulnerability can be found here:

    http://www.dhanjani.com/archives/2008/05/safari_carpet_bomb.html

    The best FUD is hidden between two truths.

  51. Joshua Lee
    Thumb Up

    desktop littering

    To reply to a comment, the default download area since Leopard on OS X is no longer the desktop, its the Downloads folder. Still, I don't even want that folder to be carpet-bombed by a malware site, so I use Firefox even on OS X; even though the chances of getting a virus are small. Besides, Firefox 3.0 RC1 is as pretty and small in memory usage on Macs as Safari, with more features! I can't wait 'till the release. :-)

  52. Robert Day

    Easy fix

    The easy fix would be to change the default download location. In "typical" scenarios, it is the Documents folders (ie. My Documents, or in Vista, Downloads uinder the user's folder). Simply change the default to that, and worry about how to deal with the 15 or so users currently running the Safari browser on Windows later....

    And for the record, as commented before, the "what do you want to do with this file" prompts do not, in fact, come "from" the OS per-say. The browser determines what to do with each file, unfortunately, based on extension. As any ie7 user knows, "Internet Explorer prevented this site form downloading a file to your computer" (or some such lingo)... that's not the OS doing that.. that is the browser.

    just stop using Safari, just like Microsoft suggests, and all will be well on your computer... well, other than, maybe, the Windows OS... ;)

  53. Anonymous Coward
    Alert

    It's part of Apple's master plan...

    It's part of Apple's master plan...

    Get Safari on every windows PC

    Exploit a download vulnerability.

    steal the users Credit Card details

    Downloas OSx onto thieir comps and set it for "Auto install on next reboot"

    Charge them for OSX

    PayStar is an Apple Shell company to test this senario....

  54. Hardeep Singh

    Its all Apple's fault

    Apple makes crap computers, the only reason their OS loopholes don't come to light is because it hasn't sold as much as Windows. Lesser the number of users, lesser the problems that come to light. The one's who were stupid enough to purchase a mac, won't speak against it because that would mean accepting their stupidity.

    Safari comes piggyback on another app and installs itself on a users PC without permission, makes itself the default browser and then downloads thousands of unwanted files to the desktop. That's exactly how a spyware behaves. MS is doing the right thing by asking user to not use Safari, in my view they should've taken a stricter action. Ideally Windows Defender should identify Safari as spyware and remove it from User's machines.

  55. John Watts
    Coat

    It's a war ...

    I'm a Mac user and I don't use Safari.

    The reason for that is Hotmail doesn't work (not just me, a few other people I know also have this problem).

    As people have stated OS X asks you whether you want to run an application that's been downloaded from the internet. Fine if you run OS X, not so fine if you run Windows.

    My guess is Apple can't be arsed 'cause MS have managed to stop Hotmail working with OS X (unless you delete all cookies in which case you can sign in once before it goes into some infinite loop of redirection).

    I guess it could be a bug in Safari but it's been about for a while (not that I've reported it; I just switched to Firefox instead - not that Firefox is what it used to be either) so I'd imagine it would have been fixed by now if it was.

    Maybe that's the real story behind this little spat.

    Tinfoil hat please.

  56. Mr Blonde

    what next?

    Moseleys distant cousin not allowed to harry the infidels upp their Khyber pass?

  57. SomeOne
    Jobs Halo

    It's an IE bug

    According to Aviv Raff, the security researcher who reported this to Microsoft, the Safari vulnerability is combined with an old Internet Explorer vulnerability: http://aviv.raffon.net/2008/05/31/SafariPwnsInternetExplorer.aspx

  58. Steve

    you installed it in windows because?

    The whole thing is a no-brainer. Opera, SeaMonkey (& Konqueror) all eclipse Safari, so what's the issue? "Why'd you allow it to install in the first place on a Windows system anyway?" is the question to ask.

  59. Anonymous Coward
    Anonymous Coward

    @John Watts

    What doesnt work with hotmail and safari?

    I have no problems

    Are you using the classic version?

    Read this

    This is the classic version of Windows Live Hotmail

    This version works better with your browser. The full version of Windows Live Hotmail runs on Internet Explorer 6.0 and higher (make sure you check the system requirements before you install it). The full version also works on Firefox 1.5.

  60. John Watts

    Aimee ...

    What would happen was every time I tried to sign in, it went into an infinite loop of redirections and never actually signed in.

    To get it to let me sign in I had to delete all of the .live.com cookies I could find. Then it would let me in. Until I signed in again. Then the same thing would happen.

    The only reason I switched to the super duper new fangled version was to stop it pestering me about using it.

    A friend also had the same problem on his newly purchased Mac which we both solved by switching to Firefox.

    I only use the hotmail account to sign up for things I expect to bombard me with crap anyway so it's not a massive problem.

    In any case, I guess you answered your own question - the full version doesn't work with Safari.

    Now, if the problem had presented itself to an average internet user they'd still be locked out as they'd never be able to get back in to switch to classic mode and probably wouldn't think to delete any cookies.

    The system requirements omit the Mac and Linux totally, or at least I couldn't see them immediately (and now the message doesn't show at all) and yet the newer version runs fine on Firefox on this Mac - so, the system requirements don't seem to mean much at all anyway.

    That said, MS do offer to let me upgrade to IE7 when using Safari, except when I get to the page there is of course no mention of OS X.

    So erm, what can I say? When I managed to sign in the newer version worked fine with Safari, it was just getting signed in.

    Maybe it works now. Maybe it doesn't? In the end it doesn't matter much 'cause I've got a few months of history on Firefox and won't be switching back to Safari unless Firefox does something to piss me off.

    But you can trust me when I say something doesn't work.

    Incidently, it's Firefox 2 I'm using the full version on, not 1.5 so it goes some way to proving you can ignore what websites tell you about the browser you should be using.

  61. Kradorex Xeron

    Re: Input admin password

    Most everyday users DO NOT CARE about the OS itself, they know it can be simply reinstalled or patched up, HOWEVER. if I were an attacker going for maximum destruction, I would go for the user's own files first, as malware doesn't need a system administrative password under any OS to do anything with the current user's files.

  62. Mark Simon

    Firefox. Problem Solved

    Type your comment here — plain text only, no HTML

  63. Rick Leeming

    *sigh*

    And again a possibly usefull article is ruined by the MSvApple debate. If you REALLY want to be secure then Solaris is your friend. Macs aren't much more secure than Windows machines because the weakest link in the security chain is drooling on the keyboard opening things they don't understand. The Spyware and Virus share for the Mac is slowly growing, and they even had viruses back in the days of 7.5. The downfall of OSX and viruses with be Hubris on the part of the users. Yes you CAN be infected with a virus, you aren't immune. Someone will write a real nasty at let it out in the wild at some point. When that happens the "We dont get viruses" argument will be the downfall of the machines. I'll be smiling as i reinstall and attempt to recover people's data off HDD's so they don't lose any more of their data.

  64. Rob Cooper
    Stop

    FFS When Will People Learn?

    I love the way Mac Zealots instantly dive on MS before even reading the article since it simply CANNOT be a problem with Apple software right?

    Look, we are all into software. It doesnt take a genius to realise you can write buggy/flawed code no matter what company you work for.

    The article clearly states that the problem exists within BOTH Windows and OSX. This means that the root source is Safari, which the article also clearly states.

    MS have done the right thing issuing a warning, its a security RISK. Risk must be managed. I would rather know about a risk than brush it under the carpet and hope it will go away (which sadly seems to be what Apple want to do).

    I think this is a nice display of how Windows/MS have had a real rough ride over the years. They have been at the forefront of the market, getting all the glorious backlash that comes with it. They are used to dealing with this sort of thing.

    Apple? Not so much. Its funny how now they are rising in popularity that suddenly more and more security holes are being found. It should come as no suprise, THEY HAVE NEVER REALLY BEEN TESTED BEFORE.

    Yes, I'm really not into Apple in any way shape or form. But I wont be a @ss and slate them. They've screwed up and need to fix it, not ignore it, the same as MS or any other software house should.

    'Nuff said.

  65. This post has been deleted by its author

  66. Mark
    Gates Horns

    Plebs

    You would have to be a pleb to be running Safari anyway, when Opera is a far better, more secure, faster and more widely available browser.

  67. Anonymous Coward
    Thumb Down

    Mark, you're the real pleb

    Taglines and cliches everywhere with this one!

    "far better, more secure, faster and more widely available browser"

    lord knows how its better or more secure, we'd like proof please. its not faster and how in the world is it more widely available? on the internet??

  68. mike brockington
    Alien

    Kettle, Pot, Black: yes

    Let me see if I have this right:

    An OS written by Microsoft lets some random third-party application download as much crap as it wants onto the desktop.

    The OS then allows the user to run an EXE that clearly isn't safe to run, without even politely asking the user if they are sure, and this has nothing to do with the OS?

    Sounds to me like Apple should write an entire OS themselves, so that Safari doesn't have to depend on Windows ...

  69. Robbin Nichol
    Happy

    safariiswank

    do a search for safariiswank, 'bout sums it up really.

  70. Mister_C
    Joke

    @ tigers ACs

    Maybe the original poster relied on weebl's Kenya masterpiece as reference.

    Wiki aint the only source of dodgy info...

  71. Anonymous Coward
    Coat

    Yawn...

    Rah rah rah Apple suxs, MS is tha rulz!!! Apple is the baddy, boo!!! MS never fails..etc etc.. Stupid bandwagon jumping fanboys with their ever predictable responses.

    Safari automatically downloading to OSX is hardly an issue, it's not like the OS will execute it and even if the user tried to, it wouldn't load as its not a Mac Exe. It downloading to Windows is annoying, and Apple should prompt the user over it though, but as others pointed out, the underlying issue comes from an existing Windows security exploit, shouldn't Microsoft have patched this by now? I don't think either party in this case should avoid blame for this.

    Anyway, as a Firefox, Opera, IE, Safari user under Windows who works in the Website industry, both Safari and Opera totally own both IE and Firefox in performance, Firefox is probably the most secure (and Opera is good too), but Safari for all its faults still provides a better user experience than IE ever does and a UI menu design that is competition to Firefox too.

    Even if Apple Software Update installed Safari onto peoples PCs when they didn't want it, nothings forcing them to keep using it, or even uninstalling it.

    Anyhow, should Apple start issueing security warnings for the plethora of IE exploits which regularly come out? Because if its not Pot Kettle Black, then in all fairness they should both get the chance to do so!

  72. Anonymous Coward
    Anonymous Coward

    Friend told me

    how he had to clean a friend's Mac of crud that had been downloaded onto it. He found a load of spyware on it. There IS stuff that will wreck Macs, it's just not as widely available. If anything, Mac users are more at risk than Windows users from the above. Who's more likely to ignore a security warning and just run a file anyway? At the end of the day it doesn't matter what you say to the user, if they think they're secure they'll double click it and run it. Windows users have faced it all before, if you see a file saying omg_look_now_amazing_game you wouldn't open it, but a lot of people would, and a lot more Mac users would than PC users, because they don't think they need to worry about security. Well hey, occasionally you do.

  73. Anonymous Coward
    Flame

    Turd in a dress

    Let's be fair, Apple stuff looks pretty, but in general it's a turd in a dress. The fact that Apple hardware has unchangeable batteries so you have to replace them every year whether you want to or not, or the fact that they crippled BSD in order to make OSX. This is just another example of the turd in a dress history of Apple. I'm sure people who buy Apple gear are the same types who would make out with a drag queen...

  74. Rob Cooper
    Coat

    Pointless Comments FTW!

    I love the way like 95%+ of the flames are from AC :D

    Way to stand up for yourself..

    I can see there a couple of people here that share my attitude.

    "I use what I use because I am an adult. I can make my own decisions. There are things here that need to be addressed (namely security) and they should be, by ALL parties concerned. However, my judgement is that the fault lies with [X]."

    The rest of you just sound like a bunch of hormonal teenagers that are obviously not getting enough love from wherever and need to vent on here.

    Repeat after me, "I am an adult, I AM an adult"..

    Do more people ever actually write comments on here worth reading? I am still kinda new to TheReg, need to know whether or not to unsub :)

  75. Tom Kelsall

    I'm sick of...

    ...reading the SHIT people post in these comments. Just WHO are you fanboys trying to impress with your constant drivel about which OS/Browser is better/faster/more secure/nicer?!

    Each user likes DIFFERENT THINGS (fkin DUH) because they're INDIVIDUAL. I like Windows well enough, and I like Firefox well enough; but that's down to ME... I'm not about to slag anyone else off for THEIR choice of OS/Browser. What we have here is a problem between two products. Maker of product (1) has published some information about how it interacts with product (2). They even admit some of the responsibility for it. I think they did the right thing.

    Now SHUT THE FK UP!!!

  76. Ivan Headache

    I wasn't going to comment but....

    "friend told me" obviously works for microsoft. What tosh! I've been servicing macs and supporting macusers for almost 15 years and I have never ever (put that in 120pt text) found a mac with spyware on it. Nor have I found one with a virus on it. If there is spyware on it it's windows spyware and windows crud. We had a brief interlude with a worm about 10 years back but it was nothing more than a hinderance, not a problem- and even then, I never saw it - just read about it - much the same as all the exploits that are currently "afflicting" macs all over the world.

    And "turd in a dress"? Again what tosh! More like turd in a mouth. I just nip down to maplin, buy a battery for about a fiver and fit it in the mac and away it goes. I've never read such rubbish (well I have - mostly from phreeky and that other idiot beginning with M (can't remember who he is).

    And finally, what have you got against drag queens? Are you frightened of them?

  77. Mike Roantree

    Re Huh

    "Someone uses Safari on Windows? I thought it was only idiots and people who didn't know better than to untick it when downloading Quicktime or iTunes?

    Surprise surprise some more crap from Apple, rotten to the core."

    Still doesnt explain why anyone would install Itunes or QT in the first place, they are both steaming piles of crap.

  78. Anonymous Coward
    Anonymous Coward

    @David

    I work with plenty of PC users whose desktop matches that description. My own desktops (both mac and pc) have nothing on them.

    I want an icon with both Jobs and Gates together with halos held up by horns - their companies are both in the wrong over this.

  79. Anonymous Coward
    Gates Horns

    @ Turd in a dress

    You clearly don't know your facts, the only Mac model with a non-replaceable battery is the MBA, all other laptops/notebooks have replaceable batteries. And the crippled BSD core of OSX still beats the Windows kernel hands down.

    And yes.... all Apple users are secretly attracted to drag queens... LOL. Love the wintard resort to personal attacks combined with misinformed statements.

    PS. If a person who uses Apple gear is someone into drag queens, what's a person whos likes to use both Windows and Mac OS then? :P

  80. Keith Doyle
    Alert

    Safari would be good if...

    I for one liked the less-is-more interface Safari had on Windows, and tried it for a while. There is reason to want to use it on Windows, as Firefox has become bloatware by now (and I hate tabs), and only the totally clueless or insane would use IE. However, I stopped using Safari when I found that it had trouble with some websites, and insisted on installing QuickTime (which took me some effort to remove so that it would stay removed). Frankly, it seemed a little too buggy so I figured I'd wait through a few updates (which, while it aggressively checked for updates , after several months I never saw it actually *do* any updating, even though it was clear it needed some). Based on that experience, I've concluded that support is so bad on it and I just don't think about it (or use it) anymore. And I've refused to use QuickTime ever since the wars it had with RealPlayer over which would be the default-- both have been permanently banned from any of my systems due to their user-interest-overriding arrogance.

  81. Adam Collett
    Happy

    CHEER!

    "Derek -- You clearly have not had the required minimum exposure to Monty Python. Please refrain from visiting tech sites until you have spent at least 96 hours (preferably in a row) absorbing their work. Their treatise on tigers in Africa is an absolute necessity in the modern world of IT. You may also find the BBC's seminal 4-volume treatise on the history of the Black Adder and the collected works of Dougals Adams greatly enrich your experience of the Register and sites like it."

    I heartily agree! All techies should have a basic grounding in cynical and sarcastic sureal behaviour!

  82. Steve Mann

    @ Anonymous Coward (Ha ha, look at the Stupid and Angry Microtards.)

    <<I've never heard an OSX user complain about it.>>

    That's probably because Apple make them sign NDAs.

    Seriously, is there any more defining characteristic that separates Mac users from PC users than the latter's willingness to talk publically about the problems with their computers and the former's close-mouthedness?

    Yes, there are Apple-run forums in which Mac problems are discussed. Badly designed, almost-impossible to navigate forums in which one has to know exactly what one is looking for before one asks the search engine to find it.

    But if a suggestion of a problem with a Mac is made outside the Apple Cloister, it is met with cries of indignation and the FUD banner is unfurled.

    Burning batteries? Only a PC problem, idiot! Cooked thighs 'n' nuts? That's why we don't call Macbooks "laptops", dolt! Lid won't close? Hamfisted clown, this is precision equipment, not a PC toy! Power supply gone south for the third time in two years? Sign this NDA and we'll send you a new one!

    As for the guy who sneered that PCs were only used by people who couldn't afford a Mac, well, I just finished repairing a "better" Mac for a family member. Every part needed could be summed up as "PC equipment with a 300% Mac tax added on". I think I began laughing hysterically when I found the cost of a new CMOS battery was nearly 20 dollars (as opposed to about four dollars for the PC version). Yes, the Mac is expensive for entirely understandable engineering reasons.

    Then there was the innovative "suitcase" case design that placed the power supply, made - judging by the cost and weight - from depleted uranium, directly over the most fragile parts of the motherboard when it was swung open. One mis-step when removing or replacing the power supply (which burned out because for all the innovative engineering it no-doubt contained it was lacking any sort of fusible, replaceable element that would protect the electronics) and that was it for the wretched machine.

    Wouldn't touch one with a barge pole now.

  83. Alexis Vallance
    Go

    It'll be reet

    Yawn. Every few months we get something that supposed to bring OS X or Windows to its knees.

    On Leopard, yes, I can still blindly stumble around the internet with no protection just as Mac users have been doing for 7 years. Still no sign of anything to worry about, no matter how many jealous nay-sayers wrongly cry "It's only because of the low market share". That argument is still a load of crap, but I doubt it'll ever go away.

    Windows ain't all that bad now since XP SP2 (don't even dare go on the internet before that's installed). Not all that bad as long as you have AVG and download Windows' frequent updates.

    I still prefer the carefree Mac experience, but to be honest, the vast majority of these scares are either nothing to worry about, because the chances of running into trouble are so remote, or a little marketing dig. And let's face it, Microsoft's 'Don't use Safari' announcement is more about that then any real security threat.

  84. Ken Hagan Gold badge
    Joke

    You're all missing the point

    The real story starts *next* month, on Patch Tuesday, when Microsoft's malware removal tool takes an elephant gun on Safari.

  85. Eric Murphy

    Threat to OS X? Doubtful.

    First: in OS X 10.5, the default downloads location is ~/Downloads, NOT the desktop. Second, OS X will not launch a downloaded executable without user interaction. Third, if a user does launch an application downloaded from the Internet, a prompt will display asking the user for permission to launch. Fourth, the system keeps track of the URL from which the file was downloaded. Fifth, the number of malicious executables which can run on OS X is low to nonexistent.

    1 through 5 make this a pretty toothless threat on OS X. On Windows, well, that's a different matter.

  86. jeanl

    microsoft problem will always be iwth you as long as...

    Microsoft should change the way if allow any software installation a pc, malware or cookies or any sort..should quarantine in a secure temporary section until user allow it to install with the pc id/pw plus installation 4 digits code permit it into the pc system.

  87. This post has been deleted by its author

  88. Anonymous Coward
    Gates Horns

    Man they make me laugh

    Man they make me laugh. Of course they want people to stop using another product that they themselves wish users to use. It's just so sad to hear them say it out loud. AHAHAHAHAA

This topic is closed for new posts.

Other stories you might like