US-CERT Confirms New Vulnerability in Safari for Windows

| News

A new vulnerability in Safari for Windows has been confirmed by the U.S. Computer Emergency Readiness Team (US-CERT). The team said it had confirmed the exploit for the Windows version of Safari 4.0.5, but that “other versions may also be affected.”

The exploit makes it possible for the bad guys to take over your PC when the victim pulls up a maliciously crafted HTML document. The research advisory issued said, “By convincing a victim to view an HTML document (web page, HTML e-mail, or e-mail attachment) with Apple Safari, an attacker could run arbitrary code with the privileges of the user running the application.”

At issue is a problem with how Safari handles references to Window objects, according to US-CERT. The short version is that Safari can allow a window within the app to be closed while allowing references to that window to persist. Javascript code can then be used to exploit this reference in such a way that allows the bad guys to control your computer.

Apple has not yet released a patch for the hole, but US-CERT said that disabling Javascript could mitigate the exploit. The advisory also emphasized that users not follow unsolicited links (say in spam e-mail), but that a trusted site that had been compromised could still include a hacked Web page that leads to an attack.

US-CERT attributed Krystian Kloskowski for disclosing the vulnerability.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

5 Comments Leave Your Own

Macdave

The problem isn’t Safari, it’s because its on a pc! Any web browser will be a security hole if it’s subject to a bad OS.

Lee Dronick

I can’t find what version of Windows is affected, it must includes XP on up.

Tiger

It’s XP with SP2. And the “vulnerability”? It launches your calculator!!!!!

I’d be much more concerned every single day about IE of any version.

Lee Dronick

It?s XP with SP2. And the ?vulnerability?? It launches your calculator!!!!!

Well if it can launch the calculator I guess it can do other things, but yeah Explorer…

geoduck

It launches your calculator!!!!!

That’s impressive. A computer virus that experiments with Times Travel.


(sorry couldn’t resist)

Log-in to comment