Safari-Internet Explorer Blended Threat Vulnerability

Normally, most of the information security people use one or more web browser because this can make one feel surf the web more secure.

Usually, one uses one of the few available browsers to surf normally while other browsers to visit the suspected web site.

Ironically, use of multiple browsers will make your machine infect malware instead of be more secure. How, let’s explore Safari-internet explorer blended threat vulnerability.

However, this vulnerability is already patched but I feel the insight to this vulnerability is very essential.

Each of vulnerability is considered moderate/less severity, however, when these two vulnerabilities combines together the severity becomes very critical.

The vulnerabilities associated with safari and Internet Explorer is "Carpet Bomb" and "DLL Load Hijack" respectively.

Safari Carpet Bomb, discovered by Netish Dhanjani, is the vulnerability of Apple's web browser on OS X and Microsoft Windows. When users use Safari to browse the specially crafted website, Safari will download file into users machine without users interaction (default location is Desktop).

Aviv Raff had discovered that IE7 has the behavior that may be dangerous to the user. For some DLLs, IE7 will search the DLLs from PATH environment and loaded the first match into memory. In some situation, IE7 will search from Desktop.

The search path of IE is in the following order:

C:\Program Files\Internet Explorer\
C:\WINDOWS\system32\
C:\WINDOWS\system\
C:\WINDOWS\
C:\Documents and Settings\username\Desktop

If the attacker has the ability to put DLLs on the victim's Desktop, they will won the game.

This attack is called "Blended Threat" vulnerability since the overall vulnerability is the combination of two vulnerabilities.