ALARM Group ALERT - click for a description of ALARM, The Computing Alert System

Alert Number: 032508-01
Alert Date: 03/25/08
Alert Title: *UNPATCHED* vulnerabilities for Safari on Windows
Update-to: None.
OS/Platform/Application:  Apple Safari Web Browser (version 3.1 and earlier) on all Microsoft Windows Platforms
Category: ALERT
Severity: MEDIUM
Attention: Safari on Windows Users, Windows System Administrators, Desktop Support Personnel


Summary: Multiple Internet Security resources are reporting the recent discovery of at least two security vulnerabilities affecting the Windows version of Apple's popular Safari web browser.  The most likely mechanism of exploit for these vulnerabilities is the visitation of a maliciously-crafted website**.  If successful, the exploit could result in a range of negative outcomes including application crash and complete system takeover.  At the time of this writing (9:30 AM 3/25/08) no patch has been made available from the vendor to address these vulnerabilities.


Recommended Actions:   Safari for Windows users and System Administrators/Support Personnel should read the advisory information (safe links provided below) and use caution not to browse potentially malicious websites** via Safari for Windows until a patch has been provided from Apple to fix these vulnerabilities.


**It is important to note that recent research into the nature and trends of maliciously-crafted sites shows the majority of websites hosting maliciously-crafted software are ones users presume to be "legitimate" sites or advertisements for well-known and/or trusted products.  The fact that dangerous software may be hiding within seemingly innocuous websites makes it vitally important to patch all vulnerable software on any system as soon as patches are made available from the vendor.  In cases where a patch is not yet available users should consider any website and/or media file that they visit or handle as a potential source of compromise for their computer systems.

Readers are encouraged to share this alert with family, friends, and associates who may use Safari for Windows on their home PCs.