AAPL Stock: 124.75 ( -1.42 )

Printed from

Homeland Security warns of Safari hacking vulnerability

updated 11:05 am EDT, Tue May 11, 2010

Blame placed on JavaScript

The Department of Homeland Security's Computer Emergency Readiness Team (CERT) is warning of a recent and serious security flaw in Safari. The specific threat is said to be the browser's handling of window objects, as an object can be deleted while still leaving references behind. If JavaScript tries to use the deleted item, an invalid pointer may become available for an attacker to exploit.

A dedicated hacker can, in theory, use an HTML page or message to trigger the vulnerability, and thereby launch code on a remote computer. CERT cautions that there is not yet a fix for the hole, and exploit tools are in the wild, so the only options for preventing an attack including completely disabling JavaScript within Safari, or else being extremely cautious about clicking unsolicited URLs. CERT adds that while the flaw has so far been discovered only in Safari 4.0.5 for Windows, "other versions" could also be affected.

by MacNN Staff





  1. prl99

    Joined: Dec 1969


    more info

    read,00.shtml to get more information on this flaw.

  1. Eldernorm

    Joined: Dec 1969


    So are you saying....

    So would this be a windows issue or a windows safari issue??? Macs are not affected and safari on Macs are not affected??????

    Just a thought,

  1. Flying Meat

    Joined: Dec 1969


    When did DHS start

    supporting Microsoft's Windows sales?

    Shouldn't they just come out and say "Don't use the most exploited, security hole ridden OS on the market! If you value security, get something else!"

    I'm just sayin'...

    It just seems weird DHS is announcing this, or that the emphasis is on DHS. Perhaps a more accurate headline would be "CERT warns..."
    You could of course mention in the article, "CERT, a division of DHS..."

  1. JulesLt

    Joined: Dec 1969



    It's a confirmed issue on Safari for Windows.

    I don't understand enough of the detail of the error report to know whether by 'window objects' they are referring to the cross-platform abstraction of 'window' used by webkit to manage popups, or whether the flaw is in the Windows specific mapping of the abstraction to Windows native code.

    There is potential for it to be a flaw in the cross-platform layer - that would still need to be converted into an OS X exploit.

    (The fact that the exploit was demonstrated by running Calc doesn't mean it's not serious - most security people demonstrate things using a 'safe' payload. No point making it too easy for the script kiddies).

  1. wrenchy

    Joined: Dec 1969


    Safari is terrible

    As is all other Apple software.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines


Most Popular


Recent Reviews

Apple 13-inch MacBook Pro (Early 2015)

Although the new darling of the Apple MacBook line up is the all-new MacBook, Apple has given its popular 13-inch MacBook Pro with Ret ...

Griffin Twenty

A few years ago Griffin launched the original Twenty, a small digital amp that used an AirPort Express to turn any set of passive spea ...

Seagate Wireless

It seems like no matter how much internal storage is included today's mobile devices, we, as users, will always find a way to fill th ...


Most Commented