Severity: Medium
18 March, 2008
Summary:
- These vulnerabilities affect: Safari 3 for OS X and Windows
- How an attacker exploits them: By enticing one of your users into visiting a malicious web site
- Impact: Various results; in the worst case, attacker executes code on your user’s computer, with your user’s privileges
- What to do: Install Safari 3.1
Severity: Medium
18 March, 2008
Summary:
- These vulnerabilities affect: Safari 3 for OS X and Windows
- How an attacker exploits them: By enticing one of your users into visiting a malicious web site
- Impact: Various results; in the worst case, attacker executes code on your user’s computer, with your user’s privileges
- What to do: Install Safari 3.1
Exposure:
Today, Apple released a security update fixing thirteen security issues in Safari 3 for OS X and Windows. The worst of these vulnerabilities potentially allows attackers to execute malicious code on your Safari user’s machines. If you use Safari in your network — whether on a PC or Mac — you should update to version 3.1 as soon as you can. Some of the fixed vulnerabilities include:
- Webkit buffer overflow vulnerability. Webkit, a component that ships with Safari, suffers from a buffer overflow vulnerability involving the way it handles JavaScript regular expressions. If an attacker can entice one of your users into visiting a malicious web site, he could exploit this vulnerability to execute code on the user’s computer, with that user’s privileges.
- Safari certificate spoofing vulnerability. According to Apple, Safari suffers from an unspecified SSL certificate validation vulnerability. To exploit this vulnerability, an attacker must first entice your user to a legitimate web site that has a legitimate SSL certificate, then re-direct your user to a malicious web site. The malicious web site will appear to have the same SSL certificate as the legitimate site, and thus inherit the trust you give the legitimate site. An attacker could exploit this flaw to steal your login credentials or any other information associated with the legitimate site.
- Multiple XSS vulnerabilities in Safari. Safari and some of its components (WebCore and WebKit) suffer from nine Cross-Site Scripting (XSS) vulnerabilities. Though the vulnerabilities differ technically, an attacker could exploit them in the same way, and with similar results. If an attacker can entice one of your users into clicking a malicious link, he can exploit these flaws to execute scripts on that user’s computer with that user’s privileges. These scripts could do anything from reading the user’s cookies to gaining complete control of his PC. For a more general understanding of XSS attacks, see our article, “Anatomy of a Cross-Site Scripting Attack.”
Apple’s alert includes a few more flaws, including a web site spoofing vulnerability and password disclosure flaw. For more details on these flaws, refer to Apple’s alert.
Solution Path:
Apple has released Safari 3.1 for OS X and Windows to correct these security vulnerabilities. Safari users should download and install version 3.1 as soon as possible.
Note: You can also use Apple and OS X’s Software Update utility to install the Safari 3.1 update for you automatically.
For All Users:
These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.
Status:
Apple released Safari 3.1 to fix these flaws.