Apple Releases New Safari Version to Fix 48 Security Holes
Apple is out with the latest version of its Safari browser with patches for 48 security vulnerabilities, mainly in the open-source WebKit. Most of these vulnerabilities make a PC vulnerable to be compromised by malware dropped into the system by drive-by-download attacks encountered while visiting a malware-laden webpage.
ColorSync (CVE-2009-1726), one of the patches, addresses a heap buffer overflow which exists in handling images with embedded ColorSync profile. On opening a malicious image with embedded ColorSync profile, there may be consequences like sudden termination of an application or execution of arbitrary code.
Safari facilitates user information to be included in URLs, which enables the URL to specify username and password so that the user can be authenticated to the named server. These URLs are frequently used to deceive users, potentially facilitating phishing attacks. This vulnerability, Safari (CVE-2010-1384), has also been fixed.
Along with the abovementioned patches, two other updates Safari (CVE-2010-1385) and Safari (CVE-2010-1750) have also been released by Apple.
Besides these, 44 security holes in WebKit have also been fixed, which could potentially facilitate various compromises and attacks, including exposure due to dragging/pasting images or links; inadvertent activities on other websites caused by interaction with a malware-laden webpage; cross-site scripting (XSS) attacks; data being directed to an IRC server as a result of visiting a malicious site; leakage of data from visiting an HTTPS website that sends to a vulnerable HTTP website; and a number of arbitrary code execution by visiting a malware-serving site.
Just like Apple, Microsoft also released 10 security bulletins on June 8, 2010 to address 34 security holes in one of its largest Patch Tuesdays so far. Adobe also noted that it would come out with a patch for a critical vulnerability in its Acrobat and Reader by the end of June 2010, though the patch for hole in its Flash Player will be released earlier. So until the patches are released, Adobe recommends its users to rename or remove access to autoplay.dll file that comes with Acrobat 9.x and Adobe Reader.
Related article: Apple Patches QuickTime 13 Month Old Flaw
» SPAMfighter News - 17-06-2010