Executive Summary

Summary
Title Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform
Informations
Name KB953818 First vendor Publication 2008-05-30
Vendor Microsoft Last vendor Modification 2009-04-14
Severity (Vendor) N/A Revision 2.0

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Microsoft has investigated public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apples Safari for Windows has been installed. Safari is not installed with Windows XP or Windows Vista by default; it must be installed independently or through the Apple Software Update application. Customers running Safari on Windows should review this advisory.

We have issued Microsoft Security Bulletin MS09-014, Cumulative Security Update for Internet Explorer (963027), and MS09-015, Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426), to address this issue. For more information about this issue, including download links for security updates, please review MS09-014 and MS09-015.

Apple Support has released a security advisory that addresses the vulnerability in Apples Safari 3.1.2 for Windows. Please see Apple security advisory About the security content of Safari 3.1.2 for Windows for more information.

Mitigating Factors:

  • Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.

General Information

Overview

Purpose of Advisory: To provide customers with the initial notification and provide additional information regarding the impact to the affected Windows platforms.

Advisory Status: Advisory published.

Recommendation: Review the suggested actions and configure as appropriate.

ReferencesIdentification
Microsoft Knowledge Base Article953818
Microsoft Security BulletinMS09-014
Microsoft Security BulletinMS09-015
CVE ReferenceCVE-2008-2540

This advisory discusses the following software.

Related Software
Windows XP Service Pack 2
Windows XP Service Pack 3
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition Service Pack 2
Windows Vista
Windows Vista Service Pack 1
Windows Vista x64 Edition
Windows Vista x64 Edition Service Pack 1
Internet Explorer 6 for Windows XP Service Pack 2, Windows XP Service Pack 3, Windows XP Professional x64 Edition, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 7 for Windows XP Service Pack 2, Windows XP Service Pack 3, Windows XP Professional x64 Edition, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 7 for Windows Vista, Windows Vista Service Pack 1, Windows Vista x64 Edition, and Windows Vista x64 Edition Service Pack 1

Frequently Asked Questions

What is the scope of the advisory?
This advisory clarifies public reports of a blended threat which could allow remote code execution, affecting all supported editions of Windows XP and Windows Vista. For a complete list of affected software, review the software listed in the Overview section.

Is this a security vulnerability that requires Microsoft to issue a security update?
We have issued Microsoft Security Bulletin MS09-014, Cumulative Security Update for Internet Explorer (963027), and MS09-015, Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426), to address this issue.

What causes this threat?
A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a users machine without prompting, allowing them to be executed. Safari is available as a stand-alone install or through the Apple Software Update application.

What might an attacker use this function to do?
An attacker could trick users into visiting a specially crafted Web site that could download content to a users machine and execute the content locally using the same permissions as the logged-on user.

Suggested Actions

  • Apply the updates in Microsoft Security Bulletin MS09-014, Cumulative Security Update for Internet Explorer (963027), and MS09-015, Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426), that apply to your environment.
  • If using Apple Safari on Windows, ensure that it is version 3.1.2 or higher. The latest Apple Safari update is available at Apple Safari Download.
  • Review the Microsoft Knowledge Base Article that is associated with this advisory.
Workarounds

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

  • Change the download location of content in Safari to a newly created directory
    1. Create a new directory, such as c:\SafariDownload.
    2. In Safari, click Edit, then point to Preferences.
    3. At the option, Save Downloaded Files to:, select the newly created directory.

Original Source

Url : http://www.microsoft.com/technet/security/advisory/953818.mspx

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-264 Permissions, Privileges, and Access Controls

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:5782
 
Oval ID: oval:org.mitre.oval:def:5782
Title: Blended Threat Elevation of Privilege Vulnerability
Description: Apple Safari on Mac OS X, and before 3.1.2 on Windows, does not prompt the user before downloading an object that has an unrecognized content type, which allows remote attackers to place malware into the (1) Desktop directory on Windows or (2) Downloads directory on Mac OS X, and subsequently allows remote attackers to execute arbitrary code on Windows by leveraging an untrusted search path vulnerability in (a) Internet Explorer 7 on Windows XP or (b) the SearchPath function in Windows XP, Vista, and Server 2003 and 2008, aka a "Carpet Bomb" and a "Blended Threat Elevation of Privilege Vulnerability," a different issue than CVE-2008-1032. NOTE: Apple considers this a vulnerability only because the Microsoft products can load application libraries from the desktop and, as of 20080619, has not covered the issue in an advisory for Mac OS X.
Family: windows Class: vulnerability
Reference(s): CVE-2008-2540
 Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6108
 
Oval ID: oval:org.mitre.oval:def:6108
Title: Blended Threat Remote Code Execution Vulnerability
Description: Apple Safari on Mac OS X, and before 3.1.2 on Windows, does not prompt the user before downloading an object that has an unrecognized content type, which allows remote attackers to place malware into the (1) Desktop directory on Windows or (2) Downloads directory on Mac OS X, and subsequently allows remote attackers to execute arbitrary code on Windows by leveraging an untrusted search path vulnerability in (a) Internet Explorer 7 on Windows XP or (b) the SearchPath function in Windows XP, Vista, and Server 2003 and 2008, aka a "Carpet Bomb" and a "Blended Threat Elevation of Privilege Vulnerability," a different issue than CVE-2008-1032. NOTE: Apple considers this a vulnerability only because the Microsoft products can load application libraries from the desktop and, as of 20080619, has not covered the issue in an advisory for Mac OS X.
Family: windows Class: vulnerability
Reference(s): CVE-2008-2540
 Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
 Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:8509
 
Oval ID: oval:org.mitre.oval:def:8509
Title: Blended Threat Remote Code Execution Vulnerability
Description: Apple Safari on Mac OS X, and before 3.1.2 on Windows, does not prompt the user before downloading an object that has an unrecognized content type, which allows remote attackers to place malware into the (1) Desktop directory on Windows or (2) Downloads directory on Mac OS X, and subsequently allows remote attackers to execute arbitrary code on Windows by leveraging an untrusted search path vulnerability in (a) Internet Explorer 7 on Windows XP or (b) the SearchPath function in Windows XP, Vista, and Server 2003 and 2008, aka a "Carpet Bomb" and a "Blended Threat Elevation of Privilege Vulnerability," a different issue than CVE-2008-1032. NOTE: Apple considers this a vulnerability only because the Microsoft products can load application libraries from the desktop and, as of 20080619, has not covered the issue in an advisory for Mac OS X.
Family: windows Class: vulnerability
Reference(s): CVE-2008-2540
 Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
 Product(s): Microsoft Internet Explorer
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 144
Os 1

OpenVAS Exploits

Date Description
2009-04-15 Name : Microsoft Internet Explorer Remote Code Execution Vulnerability (963027)
File : nvt/secpod_ms09-014.nasl
2009-04-15 Name : Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege...
File : nvt/secpod_ms09-015.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
53623 Microsoft Windows SearchPath File Open / Locating Unspecified Arbitrary Code ...
45892 Apple Safari on Mac OS X Default Download Location Unspecified Arbitrary Code...

Information Assurance Vulnerability Management (IAVM)

Date Description
2009-04-16 IAVM : 2009-T-0021 - Microsoft Windows SearchPath Blended Threat Vulnerability
Severity : Category II - VMSKEY : V0018776

Snort® IPS/IDS

Date Description
2014-01-10 Apple Safari-Internet Explorer SearchPath blended threat attempt
RuleID : 16319 - Revision : 14 - Type : BROWSER-IE
2014-01-10 Apple Safari-Internet Explorer SearchPath blended threat dll request
RuleID : 15468 - Revision : 17 - Type : BROWSER-IE

Nessus® Vulnerability Scanner

Date Description
2009-04-15 Name : Arbitrary code can be executed on the remote host through a web browser.
File : smb_nt_ms09-014.nasl - Type : ACT_GATHER_INFO
2009-04-15 Name : The remote host may allow remote code execution.
File : smb_nt_ms09-015.nasl - Type : ACT_GATHER_INFO
2008-06-20 Name : The remote host contains a web browser that is affected by several issues.
File : safari_3_1_2.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2013-05-11 00:46:46
  • Multiple Updates