On TV.com: TOP 15: Greatest Opening TITLE SEQUENCES
BNET Business Network:
BNET
TechRepublic
ZDNet

June 8th, 2009

Apple Safari jumbo patch: 50+ vulnerabilities fixed

Posted by Ryan Naraine @ 1:17 pm

Categories: Adobe, Apple, Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Firefox, Flash, Hackers, Java, Malware, Mozilla, Patch Watch, Responsible disclosure, Viruses and Worms, iPhone

Tags: Apple Macintosh, Microsoft Windows XP, Update, Microsoft Windows Vista, Mac OS X Server, Server, Apple Inc., Microsoft Windows, Issue, Web Site

Apple has shipped a whopper of a Safari browser update to fix more than 50 vulnerabilities, some rated extremely critical.

The latest fixes, available in the new Safari 4.0, corrects a wide range of code execution and denial-of-service vulnerabilities and even comes with a fix for the vexing “clickjacking” issues plaguing modern Web browsers.

[ SEE: Webcam hijack demo highlights clickjacking threat ]

Several proof-of-concept examples of clickjacking, also known as URI redressing, show how clicks on one Web page can actually apply to clicks on page that’s invisible to the end user. It is a problem that affects all the major Web browsers and it appears Apple is pushing out a fix for Mac and Windows users.

how clicks on one Web page can actually apply to clicks on page that’s invisible to the end user.

  • WebKit (CVE-2009-1681): A design issue exists in the same-origin policy mechanism used to limit interactions between websites. This policy allows websites to load pages from third-party websites into a subframe. This frame may be positioned to entice the user to click a particular element within the frame, an attack referred to as “clickjacking”. A maliciously crafted website may be able to manipulate a user into taking an unexpected action, such as initiating a purchase. This update addresses the issue through adoption of the industry-standard ‘X-Frame-Options’ extension header, that allows individual web pages to opt out of being displayed within a subframe.

The latest Safari refresh also fixes five documented several code execution issues in CoreGraphics (all could lead to complete computer takeover attacks); an ImageIO issue that could be exploited via maliciously crafted PNG images; 5 flaws in libxml; and a variety of WebKit vulnerabilities that affect Safari on both Mac and Windows systems.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 35 Talkback(s)
Agreed - almost 100%
I agree - and as I said in my previous post which someone chose to attack personally rather than debate the facts - security is first a personal issue in that you have to be aware and cautious... on ... (Read the rest)
Posted by: kjpino Posted on: 06/11/09 You are currently: a Guest | | Terms of Use
Of interest  Richard Flude | 06/08/09
Anyone want to bet  honeymonster | 06/08/09
The most vulnerable or fixed the most vulnerabilities?  Richard Flude | 06/08/09
I love that spin  honeymonster | 06/08/09
And yet  frgough | 06/08/09
Ah, the secret sauce of OSX  honeymonster | 06/08/09
Or maybe they can't  Wintel BSOD | 06/09/09
Not a wee bit concerned  honeymonster | 06/09/09
Well let's see it happen  Wintel BSOD | 06/09/09
Sure they are. Given sufficient incentive.  ye | 06/09/09
The incentive's already there  Wintel BSOD | 06/09/09
Actually it's basic English comprehension  Richard Flude | 06/08/09
Apple reality distortion field  honeymonster | 06/08/09
Which says absolutely nothing...  Wintel BSOD | 06/09/09
The truth hurts. But you wil et over it. (nt)  honeymonster | 06/09/09
What truth?  Wintel BSOD | 06/09/09
Reality Hurts!  kjpino | 06/10/09
Again, what reality?  Wintel BSOD | 06/10/09
Keep freaking, Windows geeks...  comp_indiana | 06/10/09
How is it spin?  Kaiwai | 06/09/09
Why bet?  zkiwi | 06/08/09
RE: Apple Safari jumbo patch: 50 vulnerabilities fixed  M.R. Kennedy | 06/08/09
Appreciate the clear approach this time, Ryan  Narr vi | 06/08/09
But, But the apple OS was touted as secure  The 'G-Man.' | 06/09/09
True, true  goff256 | 06/11/09
Agreed - almost 100%  kjpino | 06/11/09
Clarification, please.  msalzberg | 06/09/09
If the fixes are for Safari 4 specifically  macadam | 06/09/09
As far as I can tell...  msalzberg | 06/09/09
Link  honeymonster | 06/09/09
Thanks for the link.  msalzberg | 06/09/09
Safari 3.2 bugs  Kaiwai | 06/09/09
RE: Apple Safari jumbo patch: 50 vulnerabilities fixed  phatkat | 06/09/09
RE: Apple Safari jumbo patch: 50 vulnerabilities fixed  rparker009 | 06/10/09
RE:RE: Apple Safari jumbo patch: 50 vulnerabilities fixed  EmperorDarius | 06/11/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement
Click Here

Recent Entries

advertisement
Click Here

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here