AAPL Stock: 112.65 ( + 3.24 )

Printed from

Homeland Security warns of Safari hacking vulnerability

updated 11:05 am EDT, Tue May 11, 2010

Blame placed on JavaScript

The Department of Homeland Security's Computer Emergency Readiness Team (CERT) is warning of a recent and serious security flaw in Safari. The specific threat is said to be the browser's handling of window objects, as an object can be deleted while still leaving references behind. If JavaScript tries to use the deleted item, an invalid pointer may become available for an attacker to exploit.

A dedicated hacker can, in theory, use an HTML page or message to trigger the vulnerability, and thereby launch code on a remote computer. CERT cautions that there is not yet a fix for the hole, and exploit tools are in the wild, so the only options for preventing an attack including completely disabling JavaScript within Safari, or else being extremely cautious about clicking unsolicited URLs. CERT adds that while the flaw has so far been discovered only in Safari 4.0.5 for Windows, "other versions" could also be affected.

by MacNN Staff





  1. prl99

    Joined: Dec 1969


    more info

    read,00.shtml to get more information on this flaw.

  1. Eldernorm

    Joined: Dec 1969


    So are you saying....

    So would this be a windows issue or a windows safari issue??? Macs are not affected and safari on Macs are not affected??????

    Just a thought,

  1. Flying Meat

    Joined: Dec 1969


    When did DHS start

    supporting Microsoft's Windows sales?

    Shouldn't they just come out and say "Don't use the most exploited, security hole ridden OS on the market! If you value security, get something else!"

    I'm just sayin'...

    It just seems weird DHS is announcing this, or that the emphasis is on DHS. Perhaps a more accurate headline would be "CERT warns..."
    You could of course mention in the article, "CERT, a division of DHS..."

  1. JulesLt

    Joined: Dec 1969



    It's a confirmed issue on Safari for Windows.

    I don't understand enough of the detail of the error report to know whether by 'window objects' they are referring to the cross-platform abstraction of 'window' used by webkit to manage popups, or whether the flaw is in the Windows specific mapping of the abstraction to Windows native code.

    There is potential for it to be a flaw in the cross-platform layer - that would still need to be converted into an OS X exploit.

    (The fact that the exploit was demonstrated by running Calc doesn't mean it's not serious - most security people demonstrate things using a 'safe' payload. No point making it too easy for the script kiddies).

  1. wrenchy

    Joined: Dec 1969


    Safari is terrible

    As is all other Apple software.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines


Most Popular

MacNN Sponsor

Recent Reviews

Dell AD211 Bluetooth speaker

For all of the high-priced, over-engineered Bluetooth speakers in the electronics market, there is still room for mass-market solution ...

VisionTek 128GB USB Pocket SSD

USB flash drives dealt the death blow to both the floppy and Zip drives. While still faster than either of the old removable media, sp ...

Kodak PixPro SL10 Smart Lens Camera

Smartphone imagery still widely varies. Large Megapixel counts don't make for a good image, and the optics in some devices are lackin ...


Most Commented