News
The vulnerability, discovered by Polish security researcher Krystian Kloskowski on Friday, was first reported by Danish vulnerability tracking service Secunia and confirmed by the US Computer Emergency Readiness Team (US-CERT). It has been confirmed for version 4.0.5 of Safari for Windows, while there are unconfirmed reports that the latest Mac version may also be vulnerable. According to Secunia's alert, which rated the vulnerability "highly critical" , the bug is caused by an error in the handling of the browser's parent windows, and can result in a "function call using an invalid pointer". "This can be exploited to execute arbitrary code when a user visits a specially-crafted web page and closes opened pop-up windows," said Secunia's alert. US-CERT added that another scenario could see attackers tricking users into opening malicious HTML-based emails within Safari.Both Secunia and US-CERT confirmed today that the proof-of-concept attack code published by Kloskowski successfully compromises the Windows version of Safari 4.0.5, the most up-to-date version. It's not known whether the vulnerability also exists in the much more widely used Mac OS X version of Apple's software. "Other versions may also be affected," stated US-CERT and urged users of the Windows version of Safari to disable JavaScript as a temporary defense. Apple last patched Safari in the middle of March when it fixed 16 flaws, including six that applied only to the Windows version of the browser. It's not unusual for Apple to patch Windows-only vulnerabilities when it updates Safari. While Kloskowski's original report included a proof-of-concept build, there have been no reports of any real-world hacker attempts to exploit the vulnerability so far . |
Apple's Safari browser contains a highly critical flaw that can allow attackers to infect Windows PCs with malicious code. Researchers at US-CERT and other security firms confirmed today that hackers could compromise computers with simple "drive-by" attack tactics.
User Comments