toggle

AAPL Stock: 100.86 ( -0.77 )

Printed from http://www.macnn.com

Homeland Security warns of Safari hacking vulnerability

updated 11:05 am EDT, Tue May 11, 2010

Blame placed on JavaScript

The Department of Homeland Security's Computer Emergency Readiness Team (CERT) is warning of a recent and serious security flaw in Safari. The specific threat is said to be the browser's handling of window objects, as an object can be deleted while still leaving references behind. If JavaScript tries to use the deleted item, an invalid pointer may become available for an attacker to exploit.

A dedicated hacker can, in theory, use an HTML page or message to trigger the vulnerability, and thereby launch code on a remote computer. CERT cautions that there is not yet a fix for the hole, and exploit tools are in the wild, so the only options for preventing an attack including completely disabling JavaScript within Safari, or else being extremely cautious about clicking unsolicited URLs. CERT adds that while the flaw has so far been discovered only in Safari 4.0.5 for Windows, "other versions" could also be affected.







by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. prl99

    Joined: Dec 1969

    +6

    more info

    read http://rixstep.com/1/1/20100510,00.shtml to get more information on this flaw.

  1. Eldernorm

    Joined: Dec 1969

    -1

    So are you saying....

    So would this be a windows issue or a windows safari issue??? Macs are not affected and safari on Macs are not affected??????

    Hmmmm,
    Just a thought,
    en

  1. Flying Meat

    Joined: Dec 1969

    -1

    When did DHS start

    supporting Microsoft's Windows sales?

    Shouldn't they just come out and say "Don't use the most exploited, security hole ridden OS on the market! If you value security, get something else!"

    I'm just sayin'...

    It just seems weird DHS is announcing this, or that the emphasis is on DHS. Perhaps a more accurate headline would be "CERT warns..."
    You could of course mention in the article, "CERT, a division of DHS..."

  1. JulesLt

    Joined: Dec 1969

    +1

    Issue

    It's a confirmed issue on Safari for Windows.

    I don't understand enough of the detail of the error report to know whether by 'window objects' they are referring to the cross-platform abstraction of 'window' used by webkit to manage popups, or whether the flaw is in the Windows specific mapping of the abstraction to Windows native code.

    There is potential for it to be a flaw in the cross-platform layer - that would still need to be converted into an OS X exploit.

    (The fact that the exploit was demonstrated by running Calc doesn't mean it's not serious - most security people demonstrate things using a 'safe' payload. No point making it too easy for the script kiddies).

  1. wrenchy

    Joined: Dec 1969

    -2

    Safari is terrible


    As is all other Apple software.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Autodesk Smoke 2015

Since May of this year, Autodesk has been shipping the highly anticipated update to its high-end post-production video editing suite, ...

Crucial MX100 256GB SATA-3 SSD

While the price-per-gigabyte ratio for magnetic platter-based hard drives can't be beat, the speed that a SSD brings to the table for ...

Narrative Clip

With the advent of social media technology, people have been searching for new ways to share the events of their daily lives -- be it ...

toggle

Most Commented