• On TV.com: New TV sex symbol: Vintage black PORSCHE
advertisementGet Smart about Business Spending
April 23, 2008 10:01 AM PDT

Apple Safari vulnerable to multiple attacks

by Robert Vamosi
  • Font size
  • Print
  • 12 comments

Safari users may be subject to crashes or interactions with an attacker's malicious site, according to a warning posted on Tuesday on BugTraq .

Researcher Juan Pablo Lopez Yacubian is credited with finding multiple vulnerabilities in Apple Safari 3.1.1 for Windows. Other versions of Safari may also be affected.

Among the vulnerabilities cited are a denial-of-service (crash) vulnerability caused by a write-access violation, a denial-of-service (crash) vulnerability caused by a read-access violation, and a third vulnerability that allows attackers to spoof the content contained in the address bar. A full write up can be found here .

In a separate mailing to Bugtraq, Juan Pablo Lopez Yacubian says he was also able to use a similar exploit to crash Mozilla Firefox 3 beta 5.

That said, the general workaround is not to use Safari 3.1.1 for Windows until Apple issues a fix. Versions of Firefox 2.x and Opera are recommended.

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

Browsers and extensions,

Security

Tags:

security,

Apple,

Safari,

Windows,

Juan Pablo Lopez Yacubian,

Firefox 3 beta 5

Share:
Digg
Del.icio.us
Reddit
advertisement
Click here!
Recent posts from Defense in Depth
Window Snyder to leave Mozilla
How to handle ID fraud's youngest victims
Is white listing going mainstream?
How Live OneCare changed the antivirus landscape
Express Scripts clients threatened with extortion
Study: DDoS attacks threaten ISP infrastructure
Security expert talks Russian gangs, botnets
Extortion used in Express Scripts database breach
Related
Apple updates Safari for security
Apple plugs holes for domain spoofing, other attacks
Firefox's future features: 3.6, 3.7, and 4.0
Windows 7 default user account control worries experts
Firefox 3.5.4 closes security holes
Mozilla releases first beta of Firefox 3.6
Safari 4.0.4 available; Firefox 3.6 beta 2 released
Alterna-browsers Firefox, Chrome get quick fixes
Add a Comment (Log in or register) (12 Comments)
  • prev
  • 1
  • next
Crashing the browser is a good thing?
by amandachuck April 23, 2008 10:34 AM PDT
If someone attacks my computer with a malicious site, or just
creates such a **** poor site it would take up too many
resources on my machine, I'm happy to have the browser crash
as a defense. What's the problem? You just, you know, reload
the browser and move on?

Now, if it crashed the whole computer, I'd be pissed. And that
would happen in some cases if the browser wasn't smart enough
to crash first. We'll see if that happens in the real world.

But the only thing that ever crashes my Mac completely is faulty
network disk access, a problem with OSX since 10.0 that has
been mitigated in 10.5, but is still there.
Reply to this comment
don't get me wrong though
by amandachuck April 23, 2008 10:59 AM PDT
I'd rather not have it have to crash, and I'd rather not have
malpunks out there causing trouble, but crashing the browser isn't
the end of the world. destroying my HD, rewriting all my word files
with "Paul for President", etc., that would be much worse.
crashing the browser is not a good thing
by mjm01010101 April 23, 2008 11:31 AM PDT
Generally speaking, browsers and internet facing apps should never crash. They shouldn't crash because crashing implies a point of weakness where memory can be controlled, injected, manipulated, etc.

Most crashes I've seen in a browser were directly due to a plugin like javaRE or activex control like flash.
Interactions are a problem,
by rcrusoe April 23, 2008 11:21 AM PDT
crashes are not.

If they were, you would spend all your time reporting on Flash and Silverlight "attacks".
Reply to this comment
Crashes are acceptable to Mac users?
by k2dave April 23, 2008 11:35 AM PDT
From the comments posted so far it seems like Mac users are satisfied with the response of their web browser crashing at the fist sign of trouble. I think it's good as a stop gap measure till a fix is out, but far from acceptable.
Reply to this comment
Mac users
by catch23 April 23, 2008 11:49 AM PDT
will accept anything in defense of Apple.
Yet if the same thing happened on a Windows box, they would use it as 'proof' of MS's ineptness.

Apple fans start with the premise that Apple is never wrong, then warp the 'facts' to fit. At times like this, it is pretty funny to watch
View reply
"From the comments posted so far it seems..."
by krosavcheg April 23, 2008 3:39 PM PDT
"From the comments posted so far it seems..."

Huh? There are only four comments posted before yours, from
three people. Only one commenter says that she prefers the
browser crashing than getting the machine compromised.

So, for you, a sample of one is enough to support your claim?
Dedicated Mac user...
by Gomphos April 23, 2008 12:53 PM PDT
...and not apologetic. Of course Apple needs to fix this, and fast.
But I'd still use Mac over any version of Windows.
Reply to this comment
Safari for Windows
by Melekai April 23, 2008 2:24 PM PDT
Sounds like an Windows problem, not a Mac problem.
Reply to this comment
Oh really?
by Igiveup2 April 25, 2008 3:25 PM PDT
Then why was a Safari vulnerability used to pwn a MacBook in less than two minutes at CanSec West? And why was an iTunes vulnerability so effective an attack vector against OSX at CanSec West the year before? The wireless stack in OSX is alsofull of exploitable flaws. Apple's response to that fact was to try to cover it up by blaming the messenger. When malware writers want to target OSX, they will. And Apple's lax response to security issues suggests that they could succeed spectacularly.
Safari is a joke gone bad...
by AppleSuxLeo April 24, 2008 6:16 PM PDT
Mr.Turtle Neck`s version of an April Fools joke.
Reply to this comment
(12 Comments)
  • prev
  • 1
  • next
advertisement

A CNET Conversation with Eric Schmidt

CNET's Tom Krazit and Molly Wood sit down with Google CEO Eric Schmidt to discuss the future of Android, the Chrome OS, the problem of real-time search indexing, and more.

Verizon tests sending RIAA copyright notices

The No. 2 phone company, known for its reluctance to intervene in antipiracy cases, strikes an agreement to forward copyright notices on behalf of the music industry.

About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET