AAPL Stock: 118.88 ( + 1.13 )

Printed from

Homeland Security warns of Safari hacking vulnerability

updated 11:05 am EDT, Tue May 11, 2010

Blame placed on JavaScript

The Department of Homeland Security's Computer Emergency Readiness Team (CERT) is warning of a recent and serious security flaw in Safari. The specific threat is said to be the browser's handling of window objects, as an object can be deleted while still leaving references behind. If JavaScript tries to use the deleted item, an invalid pointer may become available for an attacker to exploit.

A dedicated hacker can, in theory, use an HTML page or message to trigger the vulnerability, and thereby launch code on a remote computer. CERT cautions that there is not yet a fix for the hole, and exploit tools are in the wild, so the only options for preventing an attack including completely disabling JavaScript within Safari, or else being extremely cautious about clicking unsolicited URLs. CERT adds that while the flaw has so far been discovered only in Safari 4.0.5 for Windows, "other versions" could also be affected.

by MacNN Staff



  1. prl99

    Joined: Dec 1969


    more info

    read,00.shtml to get more information on this flaw.

  1. Eldernorm

    Joined: Dec 1969


    So are you saying....

    So would this be a windows issue or a windows safari issue??? Macs are not affected and safari on Macs are not affected??????

    Just a thought,

  1. Flying Meat

    Joined: Dec 1969


    When did DHS start

    supporting Microsoft's Windows sales?

    Shouldn't they just come out and say "Don't use the most exploited, security hole ridden OS on the market! If you value security, get something else!"

    I'm just sayin'...

    It just seems weird DHS is announcing this, or that the emphasis is on DHS. Perhaps a more accurate headline would be "CERT warns..."
    You could of course mention in the article, "CERT, a division of DHS..."

  1. JulesLt

    Joined: Dec 1969



    It's a confirmed issue on Safari for Windows.

    I don't understand enough of the detail of the error report to know whether by 'window objects' they are referring to the cross-platform abstraction of 'window' used by webkit to manage popups, or whether the flaw is in the Windows specific mapping of the abstraction to Windows native code.

    There is potential for it to be a flaw in the cross-platform layer - that would still need to be converted into an OS X exploit.

    (The fact that the exploit was demonstrated by running Calc doesn't mean it's not serious - most security people demonstrate things using a 'safe' payload. No point making it too easy for the script kiddies).

  1. wrenchy

    Joined: Dec 1969


    Safari is terrible

    As is all other Apple software.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented