Apple releases security update for its Safari bugs
Apple has issued a security update that fixes a pair of severe flaws affecting its Safari 4 Web browser that if exploited could allow a malicious person to launch an XSS (cross-site scripting) attack via the execution of malicious code or acquire control over an affected system.
Reportedly, the company released the update called Safari 4.0.2 on July 8, 2009. Secunia an unrelated security vendor described the flaws that the update addresses as "highly critical."
State reports that the vulnerabilities make an influence on both the Mac and Windows editions of Safari. Specifically, according to Apple, the vulnerabilities affect Safari editions earlier to 4.0.2 on OS X 10.5 and 10.4, and Windows Vista or XP.
Say the security researchers that the two flaws make an impact on Safari's layout engine -WebKit. Moreover, according to Apple's security advisory released together with the patches, the flaw that is more severe among the two relates to a problem of memory corruption in the way WebKit deals with numeric references that could let a hacker run malware on an affected computer through a malicious website. The bug could also let a hacker prevent the software from running.
Aside this, the other flaw of the pair relates to a problem of input validation in the way WebKit deals with top and parent objects. With this flaw, an attacker could use his website to run a malicious code and HTML within another website's security environment in an XSS attack. However, Apple's update addresses this problem via enhanced dealing with top and parent objects, the advisory stated.
Thus, users can save themselves from the probable attack by updating their Safari browser to version 4.0.2 at the earliest, security researchers at Apple said.
Meanwhile, during June 2009, Apple issued a huge security update to address an unprecedented 50 bugs affecting Safari. Of the several patches within the update the one that proved as the most dangerous related to yet another problem in WebKit. Further, with the June 2009 update, Apple plugged another hole within WebKit which allowed Click-jacking. Additionally, Apple also fixed five vulnerabilities that allowed execution of arbitrary code.
Related article: Apple Patches QuickTime 13 Month Old Flaw
» SPAMfighter News - 27-07-2009