Apples Releases Six Security Updates for Safari
After a month when it had released patches for Safari, Apple came up with new updates to fix six security vulnerabilities (four of them were critical) in its Windows Web browser and Mac on August 11, 2009.
Three of the six vulnerabilities were existed in WebKit, an open source browser engine that facilitates to run Google's Chrome and Safari. Apple revealed that four of the vulnerabilities could allow arbitrary code execution on systems. It means that hackers could make use of them to install malicious programs in vulnerable systems.
In addition, the most unique hole lies in "Top Sites", an important feature introduced by Apple in Safari 4.0 that enables web users to utilize thumbnails of frequently visited websites. This happens only when users start browser or open a new tab.
It is quite possible that a malicious website will promote arbitrary sites in the Top Sites view by using automatic actions, said Apple. This functionality could be used to launch phishing attack. However, Apple has patched the vulnerability by stopping automated site visits from making impact on the Top Sites list.
Apple has also issued a patch for critical bugs such as a buffer overflow trouble in CoreGraphics while drawing long strings and buffer overflow while dealing with EXIF metadata on Windows XP and Vista. This may result in arbitrary code execution and other problems.
Another buffer overflow is found in WebKit that affects Mac OS X and Windows. This also facilitates in malicious codes execution.
Moreover, the processing of floating points has been improved to overcome buffer overflow problem that could be used by a malevolent site for running arbitrary code.
Meanwhile, a wide range of Unicode is displayed in the address bar to warn the users about spoofing possibility. One problem with international domain names is the character sets that may contain individual characters. These are visually similar to the one in other sets but treated as different. This helps in the registration of similar looking domain names.
» SPAMfighter News - 03-09-2009