URL spoofing flaw

A little over a week after Apple offered a security update to Safari 3.1.1, security research site Secunia warned users about another, but "less critical," vulnerability that could allows malicious sites to "spoof" other websites. Reported by Juan Pablo Lopez Yacubian, the security advisory notes that Safari 3.11 has a flaw that can be exploited by malicious people to display a fake URL in the address bar. "The problem is that it is possible to hide the actual location of a page in the address bar via a specially crafted URL containing a number of certain special characters in the 'user' field before the '@' character," the report noted. It affects both Mac OS X and Windows Vista of the browser and may also affect older versions. Secunia, however, rates the flaw as "less critical," but warns that users should avoid untrusted websites and untrusted links.

Last week's Safari 3.1.1 update included improvements to stability, compatibility and security fixes for four separate flaws -- specifically addressing a flaw in the Mac version of Safari that allowed Charlie Miller to win $10,000 in the Pwn2Own contest at CanSecWest. It also contained fixes for three other issues, including two that only affected the Windows version of Safari.

by MacNN Staff