If you’re a bit confused about the recent Microsoft advisory on the Safari blended threat, you’re probably not the only one.
Microsoft’s advisory speaks of a threat that “allows remote code execution”. However, if you review the work of Nitesh Dhanjani, who discovered the vulnerability, the exploit only allows sites to carpet bomb users with files. So, what remote code execution are they talking about?
According to Aviv Raff, there’s more to the story. It turns out that there is a method to allow remote execution, using Nitesh’s method, as well as a method that Aviv previously reported to Microsoft.
Solution? Don’t use Safari until this is resolved. Easy. (As the chorus of yawns echoes through the Blogosphere.)
Alex Eckelberry