Safari on Windows - not looking good

Published: 2008-06-12
Last Updated: 2008-06-12 19:56:12 UTC
by Bojan Zdrnja (Version: 2)
4 comment(s)

Last month Mark posted a diary about a security issue for users using Safari on Windows. There has been a lot of discussion about this over the past few weeks. The issue is not a typical security vulnerability in a product, but a blended threat that is specific for Safari on Windows – a combined attack called "Safari Carpet Bomb".

Over the last weekend, a security researcher released proof of concept code that exploits this "feature" in Safari with another "feature" in Windows (yeah, a lot of "features" working together = a vulnerability).

The two "features" we're talking about here are these:

  1. In some cases, Internet Explorer will load DLLs from Desktop. This is an old "feature" that has been known since December 2006. It also works, as far as I'm aware, only with Internet Explorer 7 (and probably 8 beta) on Windows XP. My tests failed on Vista.
  2. Safari for Windows will, by default, save files on Desktop. This would not normally be a problem, but Safari does that without any prompts to the user (Firefox does the same, for example, but prompts the user before saving the file).

Now, when we combine these two vulnerabilities you get the following – a user visits a malicious web site with Safari. The web site causes Safari to automatically download the DLL file and store it on the desktop. The user now needs to open Internet Explorer from Desktop in order to automatically execute the DLL file. Keep in mind that the shortcut to Internet Explorer has to be on Desktop so the PATH environmental variable gets properly defined (it will make Internet Explorer search current directory for the DLL file).

Overall, the sky isn't falling, but in my opinion both Microsoft and Apple (Safari) should fix these "features". I don't see a reason why Internet Explorer would look for the DLL file in the current directory (this would effectively prevent this vulnerability). Apple should also fix Safari so it at least prompts the user before downloading the file. Apple already said that they don't consider this to be a security issue (which is partially correct), but since other browsers do this (at least Firefox and Internet Explorer), and it is good security practice, my humble opinion is that Apple should change this behavior.

Since the proof of concept is easily available, if you are using Safari on Windows please change the default download location as described in Microsoft's advisory available at


We received some really good submissions from our readers. Will Dormann did quite a bit of testing on this vulnerability and noticed that Internet Explorer on Windows XP SP2 behaves strangely and loads the DLL when it really shouldn't. The article at describes the DLL search order. On Windows XP SP2, SafeDllSearchMode should be enabled by default and this should cause the current directory to drop to the 5th place in the search order but for some reason Internet Explorer doesn't seem to follow this. Will confirmed that SafeDllSearchMode works as expected for other binaries, but IE looks special.

We also received several submissions stating that all versions of Internet Explorer (6 to 8) are affected. This also confirms what Brian Krebs wrote at

Finally, Jerry reminded us that generally it's not a good idea to store files on the desktop in the first place, and I agree with this. By storing downloaded files in a special folder you will make sure that you can't execute them by mistake.



Keywords: safari windows
4 comment(s)


After reading this, I am wondering what is stopping this from being valid for other browsers (or any other unknown exploit that could drop a .dll to a known IE launch location). It seems to me the real problem is that IE should not be searching the current directory for a .dll regardless of who put the .dll their. My two cents.
How is this a Safari problem? I view this as a design flaw in IE or Windows (can't really tell which because you can't have one without the other.) Give Microsoft's reluctance to fix their shoddy software, Apple will need to mitigate the risk by modifying their software, but it shouldn't need to. What software will blindly open a file and execute it simply based on its location and name without being directed to?
First off: IMO, writing files to a drive (any location) without asking the user is an error, regardless of OS. Exceptions are caches (browser and Flash), but they are written to randomized locations (after Thor Larholm pointed out the risk in 2003 see ), Macromedia randomized the Flash cache location.

Apart from a dll on the desktop there are at least two other issues. Consider this file written to the desktop:


After logging off and back on, pressing Enter will cause calc to start.

Another issue is with a file dropped on the desktop called if the user types in the MSIE url-field, the shortcut will execute. AFAIK this was first mentioned by Roger A. Grimes here in 2006:
I forgot to mention: the last issue is fixed in IE7 (but not IE6). W.r.t. the url file above: it should consist of 3 lines (Sans converts Enter to space).

Diary Archives