Apple released a security update for its Safari Web browser on Wednesday. Available for Windows and Mac, Safari 4.0.4 plugs what sound like moderate to severe security holes. Unlike competitors Internet Explorer, Firefox, and Chrome, Apple doesn't rate the severity of its security fixes.
The security fixes address a wide range of problem points. On both Windows and Mac, parsing maliciously written XML content could have led to a browser crash, using shortcut menu options within a maliciously created Web site could have led to the disclosure of local information, and visiting a maliciously built Web site could have resulted in unexpected actions on other opened Web sites.
For Windows only, viewing a maliciously made image with an embedded color profile that could lead to a browser crash or running arbitrary code is no longer a threat, nor is accessing a maliciously crafted FTP server, which could have led to an unexpected crash, information disclosure, or arbitrary code execution. For Mac only, an exploit that could have allowed e-mail to remotely load audio and video content when loading a remote image has been disabled.
Although it's good practice to update a program whenever a security fix has been released, more transparency from Apple on the matter would pull the company up to competitors' standards.
Click here to read the full changelog for Safari 4.0.4.
Updated at 5:53 p.m. PDT with information on a second winner at the ongoing contest.
Charlie Miller won $5,000 after demonstrating a new Safari exploit as part of the Pwn2Own hacking contest at CanSecWest.
(Credit: Elinor Mills/CNET)VANCOUVER, Canada--The security expert who won $10,000 hacking a MacBook Air in less than two minutes last year won $5,000 on Wednesday by exploiting a hole in Safari in 10 seconds or so.
Charlie Miller, principal security analyst at Independent Security Evaluators, used a MacBook running the latest version of the Mac OS as part of a contest at the CanSecWest security conference called "Pwn2Own," which is hacker slang for gaining control of a computer.
The security hole, which Miller said he discovered last year, allows a remote attacker to gain control of a machine simply by getting the computer user to click on a malicious URL, as Miller demonstrated.
"It's not easy, but this worked with one click" from the Safari browser, he said.
Miller is prevented by contest rules from revealing details of the exploit. He said he told Apple representatives what he planned to do earlier in the day. "They're happy because they get free research and get a bug fixed," he said.
The contest is sponsored by TippingPoint, which will share details on the exploit with Apple and develop a patch for it. TippingPoint is offering $5,000 for each new exploit demonstrated in the major browsers and $10,000 for each successful exploit in the major smartphones, as well.
Previously, Miller discovered a hole in the mobile version of Safari shortly after the iPhone was launched in 2007.
Later in the day, a 25-year-old computer science student at the University of Oldenburg in Germany, won $15,000 for exploits he demonstrated in IE 8, Safari, and Firefox. The student, who declined to give his full name, gets to keep the Sony Vaio he did his exploits on, and Miller gets to keep the MacBook he used.
Apple released a Mac OS X security update on Thursday that contains fixes for more than two dozen vulnerabilities, including one in Safari RSS that could lead to arbitrary code execution and one in Remote Apple Events that could disclose sensitive information.
Also fixed are a vulnerability in AFP Server that could trigger a denial of service and vulnerabilities in Apple Pixlet Video, ClamAV, CoreText, Python, SMB, and X11 that could lead to arbitrary code execution. Another fix closes a hole in Printing that could allow a local user to get system privileges and one in DS Tools that could expose passwords to other local users.
Security Update 2009-001 can be obtained from the Software Update pane in System Preferences or Apple's Software Downloads Web site.
Apple also on Thursday released Safari 3.2.2 for Windows, which fixes a vulnerability that could allow execution of arbitrary JavaScript in the local security zone. That update is also on Apple's download site.
The new version of Safari, which was largely a security update and released last week, includes a new configuration option saying: "Warn when visiting a fraudulent website". It is configured to be on by default. So far, Apple is not talking about the enhancement, nor is there any documentation on the Safari site.
CNET tested the updated Safari 3.2 for Windows on various newly reported phish sites listed on DSLreports and PhishTank, and found none produced a warning. It could be that the phish sites being tested were not yet reported to the Google database or that the antiphishing update hadn't made it locally to our Safari browser for blocking.
According to Ryan Naraine at ZDNet, the alert displays standard language. It also includes two links, one to Google's explanation of a phishing site, the other to a Google Report an Error page.
Apple uses standard language when blocking a suspected phishing site.
(Credit: ZDNet)Apple is the last of the major browser vendors to offer antiphishing protection.
Microsoft uses its own antiphishing and anti-malware tool for Internet Explorer; Mozilla uses a combination of tools, including Google, for Firefox; Opera uses Haute Secure to provide bogus site warnings to end users; and Google uses its own antiphishing technology within its Chrome browser.
On Thursday, Apple released Safari 3.2. Although the update affects both Mac and Windows users, many of the Mac updates were provided in Apple's October update for Mac OS X users. The update includes eight fixes specific to Safari and three specific to Webkit.
Safari 3.2 is available via the Apple Software Update application, the Apple Software Downloads page, or Apple's Safari download site.
Safari-1
This patch affects Safari users on Windows XP or Vista. This update addresses multiple vulnerabilities in zlib 1.2.2 detailed within CVE-2005-2096. Apple credits Robbie Joosten of bioinformatics@school, and David Gunnells of the University of Alabama at Birmingham for reporting the vulnerabilities.
Safari-2
This patch affects users of Windows XP or Vista. This update addresses the security issue in the libxslt library detailed within CVE-2008-1767 in which processing an XML document may lead to an unexpected application termination or arbitrary code execution. Apple credits Anthony de Almeida Lopes of Outpost24 AB, and Chris Evans of the Google Security Team for finding the vulnerability.
Safari-3
This patch affects users of Windows XP or Vista. The update addresses the heap buffer overflow issue that exists in the CoreGraphics' handling of color spaces detailed within CVE-2008-3623 in which viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution. Apple credits itself for finding the vulnerability.
Safari-4
This patch affects users of Windows XP or Vista. This update addresses the security issue detailed within CVE-2008-2327 in which viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. Apple credits itself for finding the vulnerability.
Safari-5
This patch affects users of Windows XP or Vista. The update addresses the vulnerabilities detailed within CVE-2008-2332 in which viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. Specifically, a memory corruption issue exists in ImageIO's handling of embedded ICC profiles in JPEG images. Apple credits Robert Swiecki of the Google Security Team for finding the vulnerability.
Safari-6
This patch affects users of Windows XP or Vista. This update addresses the security issue detailed within CVE-2008-3608 in which viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution. Apple credits itself for finding the vulnerability.
Safari-7
This patch affects users of Windows XP or Vista. This update addresses the security issue detailed within CVE-2008-3642 in which viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution. Apple credits itself for finding the vulnerability.
Safari-8
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.5, or Windows XP or Vista. The update addresses the vulnerabilities detailed within CVE-2008-3644 in which disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. This may lead to the disclosure of sensitive information to a local user. Apple credits an anonymous researcher for finding the vulnerability.
WebKit-1
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.5, or Windows XP or Vista. This update addresses the security issue detailed within CVE-2008-2303 in which visiting a maliciously crafted Web site may lead to an unexpected application termination or arbitrary code execution. Apple credits SkyLined of Google for finding the vulnerability.
WebKit-2
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.5, and Windows XP or Vista. The update addresses the vulnerabilities detailed within CVE-2008-2317 in which visiting a maliciously crafted Web site may lead to an unexpected application termination or arbitrary code execution. Specifically, a memory corruption issue exists in WebCore's handling of style sheet elements. The issue has already been addressed in systems running Mac OS X v10.5.5. Apple credits the TippingPoint Zero Day Initiative for finding the vulnerability.
Webkit-3
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.5, and Windows XP or Vista. This update addresses the security issue detailed within CVE-2008-4216 in which visiting a maliciously crafted Web site may lead to the disclosure of sensitive information. This update addresses the issue by restricting the types of URLs that may be launched via the plug-in interface. Apple credits Billy Rios of Microsoft, and Nitesh Dhanjani of Ernst & Young for finding this vulnerability.
As CNET News first reported last week, Internet Explorer 8 will include a way to surf somewhat anonymously, allowing the user to suspend browsing history, cookies, and other identifying information. Mozilla had considered such a feature for its Firefox 3 release, but dropped it for technical reasons. Apple Safari also includes a similar feature.
Known as InPrivate, Microsoft is touting the feature as one of several security enhancements within its next major browser release. The scenarios for using InPrivate include when you're using someone else's computer, when you need to buy a gift for a loved one without ruining the surprise, or when you're at an Internet kiosk and don't want the next person to know which Web site you visited. While you can currently clear the browser cache with a mouse click, it's an all-or-nothing action. InPrivate temporarily suspends the automatic caching functions, allowing you to keep the rest of your browsing history intact.
ZDNet columnist Mary Jo Foley calls InPrivate IE's "porn mode."
The IE development team at Microsoft has more details about InPrivate here. They've even produced a video.
InPrivate will be available in IE8 Beta 2, which is expected to be released sometime before the end of the month. Final release for the browser remains scheduled for November.
Security researcher Aviv Raff said on Wednesday that the iPhone's Mail and Safari applications are prone to URL spoofing and could allow phishing attacks against iPhone users.
The alert was anticipated. Prior to the release of the iPhone on July 11, Raff was one of a few security researchers who indicated they had found vulnerabilities but were waiting to see the final iPhone 2.0 release.
By crafting a specially designed URL, Raff says an attacker could create an e-mail link that appears in Mail to be from a trusted site (a financial institution or social network). By clicking the link, Safari will open to the phishing site. The issue affects users of iPhone 1.1.4 and 2.0.
Raff, who has informed Apple of the vulnerability, declined on his blog to offer more details until a patch is available.
Until then, Raff suggests iPhone users "avoid clicking on links in the Mail application which refers to trusted Web sites (e.g. bank, PayPal, social networks, etc.). Instead, a user should enter the URL of the Web site manually in the Safari application."
- prev
- 1
- next
