November 11th, 2009
Apple Safari exposes Windows to drive-by download attacks
Apple today shipped Safari 4.0.4 to fix a total of seven security flaws that expose Windows and Mac users to a wide range of malicious hacker attacks.
The high-priority update patches vulnerabilities that allow remote code execution (drive-by downloads) if a user simply surfs to a maliciously rigged Web site. Some of the issues affect Microsoft’s new Windows 7 operating system.
The skinny from an Apple advisory:
- ColorSync (CVE-2009-2804) — Available for Windows 7, Windows Vista and Windows XP – An integer overflow exists in the handling of images with an embedded color profile, which may lead to a heap buffer overflow. Opening a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution. This vulnerability was internally discovered by Apple.
- libxml CVE-2009-2414 and CVE-2009-2416 — Available for: Mac OS X Windows 7, Windows Vista and Windows XP — Multiple use-after-free issues exist in libxml2, the most serious of which may lead to an unexpected application termination. This update addresses the issues through improved memory handling. The issues have already been addressed in Mac OS X 10.6.2, and in Security Update 2009-006 for Mac OS X 10.5.8 systems.
- Safari — CVE-2009-2842 — Available for: Mac OS X, Windows 7, Windows Vista and Windows XP — An issue exists in Safari’s handling of navigations initiated via the “Open Image in New Tab”, “Open Image in New Window”, or “Open Link in New Tab” shortcut menu options. Using these options within a maliciously crafted website could load a local HTML file, leading to the disclosure of sensitive information.
- WebKit — CVE-2009-2816 — Available for Mac OS X, Windows 7, Windows Vista and Windows XP — An issue exists in WebKit’s implementation of Cross-Origin Resource Sharing. Before allowing a page from one origin to access a resource in another origin, WebKit sends a preflight request to the latter server for access to the resource. WebKit includes custom HTTP headers specified by the requesting page in the preflight request. This can facilitate cross-site request forgery. Internally discovered by Apple.
- WebKit — CVE-2009-3384 – Available for Windows 7, Windows Vista and Windows XP – Multiple vulnerabilities exist in WebKit’s handling of FTP directory listings. Accessing a maliciously crafted FTP server may lead to information disclosure, unexpected application termination, or execution of arbitrary code. This update addresses the issues through improved parsing of FTP directory listings. These issues do not affect Safari on Mac OS X systems.
- WebKit — CVE-2009-2841 – Available for Mac OS X (client and server) — When WebKit encounters an HTML 5 Media Element pointing to an external resource, it does not issue a resource load callback to determine if the resource should be loaded. This may result in undesired requests to remote servers. As an example, the sender of an HTML-formatted email message could use this to determine that the message was read. This issue is addressed by generating resource load callbacks when WebKit encounters an HTML 5 Media Element. This issue does not affect Safari on Windows systems.
The browser update is being pushed to Mac and Windows systems via Apple’s software update utilities. Alternatively, Safari users can download the patches from Apple’s download site.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
