Blocking Apple software updates through Group Policy due to Safari for Windows security concerns

I’m a big fan of keeping my software applications up to date on client machines, but I hate the fact that Apple is trying to push new Safari installations whenever users update iTunes on my Windows machines.  I found Dan’s blog post specifics on how to edit the appropriate registry keys to forbid automatic installations of Apple software, but the post’s comments showed some differing results users experienced when implementing the registry changes.

Further down in the comments I came across Eric S’s suggestion for creating a software restriction policy that disallows Apple Software Update from running. 

“To disallow Apple Software Update in Group Policy:
– Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies > Additional Rules
– Right-click or Action > New Path Rule…
– Path: C:\Program Files\Apple Software Update
– Security Level: Disallowed

This would prevent Apple Software Update from running, regardless of whether the user installed it, or what version was installed.”

In theory a network administrator could then push approved Apple updates to the client computers via Microsoft System Center Configuration Manager, Novell Zenworks, or other application deployment solution.

Also note that as of My 30 2008 Microsoft Security Advisory 953818 is warning of a “blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed.  An attacker could trick users into visiting a specially crafted Web site that could download content to a user’s machine and execute the content locally using the same permissions as the logged-on user. ”

This means that if the user is running with Administrator level privledges, the machine is easily owned by the bad guys.  According to Nitesh, who originally discovered the issue, the problem stems from the fact that the “Safari browser cannot be configured to obtain the user’s permission before it downloads a resource.  Safari downloads the resource without the user’s consent and places it in a default location (unless changed)”

Microsoft’s suggested action is to:

  1. Change the download location of content in Safari to a location other than ‘Desktop’
  2. Launch Safari. Under the Edit menu select Preferences.
  3. At the option where it states Save Downloaded Files to: select a different location on the local drive

Comments [2]

Leave a Reply

Your email address will not be published. Required fields are marked *