Apple’s Safari Detected With ‘Highly Critical’ Zero-Day Vulnerability
Copenhagen (Denmark) situated software security services provider, Secunia, is cautioning of a security flaw within Apple's web browser, Safari, that can be exploited to get sensitive information exposed or to gain control over an end-user's PC.
The discoverer of the flaw, Krystian Kloskowski, a Polish security researcher, describes it as zero-day vulnerability that can result in the download of drive-by malware through the Safari. Infosecurity.com published this on May 10, 2010.
Reportedly, when a fault occurs in the manner parent Windows is handled, there emerges the flaw, which can lead to the calling of a function via an invalid pointer. Moreover, by exploiting this flaw, arbitrary code can be run if an end-user is made to open a maliciously-designed website and to close all the pop-up windows.
Remarking about this, US-CERT (US Computer Emergency Readiness Team) stated on May 10, 2010 that cybercriminals could exploit the vulnerability through a booby-trapped e-mail, which is read through Safari. The vulnerability has been proven to affect Windows 4.0.5 version as well as the most recent Mac version.
Peter James of Mac's security provider Intego said that Safari's Mac version had great chances of being vulnerable to the new exploit. That's because the two applications share their code repository in large proportions, James explained. Infosecurity.com reported this on May 10, 2010.
Furthermore, according to US-CERT, an HTML e-mail viewed inside Windows Live Hotmail or Gmail too may abuse this vulnerability. If hackers hijack the system's operating software, they can freely log onto the end-user's credentials pertaining to his credit cards or use his contacts' addresses. These hackers can also deploy malicious software and accomplish various evil objectives.
Meanwhile, Secunia has given this new vulnerability a "highly critical" rating which means it has the 2nd most severe risk ranking as per the firm's 5-tier severity scale.
Incidentally, Apple has had flaws within Safari in the past also. The last time it updated Safari was during mid-March 2010 when it patched 16 vulnerabilities, of which 6 were related to the browser's Windows version.
Related article: Apple Patches QuickTime 13 Month Old Flaw
» SPAMfighter News - 19-05-2010