toggle

AAPL Stock: 441.93 ( -1.01 )

http://www.macnn.com/articles/10/05/11/blame.placed.on.javascript/

Homeland Security warns of Safari hacking vulnerability

updated 11:05 am EDT, Tue May 11, 2010

 

Blame placed on JavaScript


The Department of Homeland Security's Computer Emergency Readiness Team (CERT) is warning of a recent and serious security flaw in Safari. The specific threat is said to be the browser's handling of window objects, as an object can be deleted while still leaving references behind. If JavaScript tries to use the deleted item, an invalid pointer may become available for an attacker to exploit.

A dedicated hacker can, in theory, use an HTML page or message to trigger the vulnerability, and thereby launch code on a remote computer. CERT cautions that there is not yet a fix for the hole, and exploit tools are in the wild, so the only options for preventing an attack including completely disabling JavaScript within Safari, or else being extremely cautious about clicking unsolicited URLs. CERT adds that while the flaw has so far been discovered only in Safari 4.0.5 for Windows, "other versions" could also be affected.





by MacNN Staff

Post tools:

TAGS :

 security, software, Windows, Safari

Related Articles

Recent Articles

toggle

Comments

  1. prl99

    Fresh-Faced Recruit

    Joined: Mar 2009

    +6
    05/11, 12:04pm | report spam | Reply |

    more info

    read http://rixstep.com/1/1/20100510,00.shtml to get more information on this flaw.

  1. Eldernorm

    Fresh-Faced Recruit

    Joined: Sep 2007

    -1
    05/11, 02:50pm | report spam | Reply |

    So are you saying....

    So would this be a windows issue or a windows safari issue??? Macs are not affected and safari on Macs are not affected??????

    Hmmmm,
    Just a thought,
    en

  1. Flying Meat

    Junior Member

    Joined: Jan 2007

    -1
    05/11, 04:37pm | report spam | Reply |

    When did DHS start

    supporting Microsoft's Windows sales?

    Shouldn't they just come out and say "Don't use the most exploited, security hole ridden OS on the market! If you value security, get something else!"

    I'm just sayin'...

    It just seems weird DHS is announcing this, or that the emphasis is on DHS. Perhaps a more accurate headline would be "CERT warns..."
    You could of course mention in the article, "CERT, a division of DHS..."

  1. JulesLt

    Fresh-Faced Recruit

    Joined: Jul 2005

    +1
    05/12, 05:09am | report spam | (1 reply) Reply |

    Issue

    It's a confirmed issue on Safari for Windows.

    I don't understand enough of the detail of the error report to know whether by 'window objects' they are referring to the cross-platform abstraction of 'window' used by webkit to manage popups, or whether the flaw is in the Windows specific mapping of the abstraction to Windows native code.

    There is potential for it to be a flaw in the cross-platform layer - that would still need to be converted into an OS X exploit.

    (The fact that the exploit was demonstrated by running Calc doesn't mean it's not serious - most security people demonstrate things using a 'safe' payload. No point making it too easy for the script kiddies).

  1. wrenchy

    Forum Regular

    Joined: Nov 2009

    -2
    05/12, 03:57pm | report spam | Reply |

    Safari is terrible


    As is all other Apple software.

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

MaxUpgrades MaxConnect for 2006-2008 Mac Pro

Nobody outside of Cupertino's privileged bunch knows the future of the Mac Pro line for sure. Despite Apple's reluctance to tell us wh ...

Brother HL-3170CDW LED Printer

We've mentioned before that we are far from a paperless society. For now, at least, there are tasks that require a piece of paper for ...

HTC One

It is hard to overstate just how critically important the HTC One is to the Taiwanese company’s fortunes. Despite its alarming decline ...

toggle

Most Commented

 

Popular News