August 12th, 2009

Apple plugs code execution, phishing holes in Safari browser

Posted by Ryan Naraine @ 6:39 am

Categories: Anti Virus, Apple, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Open source, Passwords, Patch Watch, Pen testing, Phishing, Privacy, Responsible disclosure, Vulnerability research, Windows Vista

Tags: Apple Macintosh, Apple Safari, Microsoft Windows Vista, Apple Inc., Web Site, Web Browser, Arbitrary Code Execution, Application Termination, Browser Version, Phishing

Apple has released Safari 4.0.3 to fix at least six security vulnerabilities that put Mac and Windows users at risk of hacker attacks.

The update is considered highly-critical and should be immediately applied on both Windows and Mac systems because of the risk of information disclosure, phishing and remote code execution attacks.

Here’s a snapshot of the vulnerabilities being fixed:

• CVE-2009-2468 (Windows XP and Vista) — A heap buffer overflow exists in the drawing of long
• text strings. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.
• CVE-2009-2188 (Windows XP and Vista) — A buffer overflow exists in the handling of EXIF metadata. Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.
• CVE-2009-2196 (Mac OS X, Windows XP and Vista) – Safari 4 introduced the Top Sites feature to provide an at-a-glance view of a user’s favorite websites. It is possible for a malicious website to promote arbitrary sites into the Top Sites view through automated actions. This could be used to facilitate a phishing attack.
• CVE-2009-2195 (Mac OS X, Windows XP and Vista) — A buffer overflow exists in WebKit’s parsing of floating point numbers. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.
• CVE-2009-2200 (Mac OS X, Windows XP and Vista) — WebKit allows the pluginspage attribute of the ‘embed’ element to reference file URLs. Clicking “Go” in the dialog that appears when an unknown plug-in type is referenced will redirect to the URL listed in the pluginspage attribute. This may allow a remote attacker to launch file URLs in Safari, and lead to the disclosure of sensitive information. This update addresses the issue by restricting the pluginspage URL scheme to http or https.
• CVE-2009-2199 (Mac OS X, Windows XP and Vista) – The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious website to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by supplementing
• WebKit’s list of known look-alike characters. Look-alike characters are rendered in Punycode in the address bar.

The new browser version is available via the Apple Software Update application or Apple’s Safari download site.