Safari Bug Could Expose User’s Personal Files
A new vulnerability detected in Apple's web browser Safari that allows a remote malicious website to view files stored on the hard drive of a Windows or Mac system even when the user does not intervene, said Brian Mastenbrook, Open-source Bug Expert, as reported by ITWire on January 13, 2009.
The reports revealed that a phishing website could exploit this vulnerability to gain the privilege of accessing confidential information on the end-user's system, like passwords, cookies or e-mails. This data could be used to access to accounts of user on certain websites. Of course, the user never gets to know about the theft of his private details.
Although Mastenbrook did not reveal the vulnerability in detail, the problem underlying it possibly relates to the utilization of maliciously formed feed URLs. As per security experts, this problem is a heap-based buffer overflow. This overflow is an unusual condition in which a process tries to store data more than the specified buffer boundary. Consequently, the additional data overwrites memory locations in the adjacent areas.
Brian also disclosed that users of Mac OS X 10.5 Leopard who continue to retain their default feed reader program on the system are affected. But users, who have Safari installed for Windows, do not surf in that browser are unaffected.
Meanwhile, Apple has acknowledged the vulnerability, a fact that merits mention. However, the software company has still not said when it would release a patch for the flaw although security specialists believe that the patch would be released soon.
Nonetheless, Brian advised that users of Windows Safari switch to a different browser as a way to overcome the problem, while Mac users simply configure a new RSS feed handler. And to set this new feed handler, specialists suggest that users navigate to Safari's Preferences and opt for the RSS button. But if any other feed reader is available on the system, then they could select just that.
Besides, if users have any doubt or concern, they should get in touch with Apple directly, Brian said.
Related article: Spyware Detection Programs Track Advertisers’ Cookies
» SPAMfighter News - 19-01-2009