Contact Us Today! (215) 853-2266

Bardissi Enterprises Blog

Bardissi Enterprises has been serving the Hatfield area since 2000, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Thirteen Security Flaws Plague Safari 3 for OS X and Windows

Severity: Medium

18 March, 2008

Summary:

  • These vulnerabilities affect: Safari 3 for OS X and Windows
  • How an attacker exploits them: By enticing one of your users into visiting a malicious web site
  • Impact: Various results; in the worst case, attacker executes code on your user’s computer, with your user’s privileges
  • What to do: Install Safari 3.1

Severity: Medium

18 March, 2008

Summary:

  • These vulnerabilities affect: Safari 3 for OS X and Windows
  • How an attacker exploits them: By enticing one of your users into visiting a malicious web site
  • Impact: Various results; in the worst case, attacker executes code on your user’s computer, with your user’s privileges
  • What to do: Install Safari 3.1

Exposure:

Today, Apple released a security update fixing thirteen security issues in Safari 3 for OS X and Windows. The worst of these vulnerabilities potentially allows attackers to execute malicious code on your Safari user’s machines. If you use Safari in your network — whether on a PC or Mac — you should update to version 3.1 as soon as you can. Some of the fixed vulnerabilities include:

  • Webkit buffer overflow vulnerability. Webkit, a component that ships with Safari, suffers from a buffer overflow vulnerability involving the way it handles JavaScript regular expressions. If an attacker can entice one of your users into visiting a malicious web site, he could exploit this vulnerability to execute code on the user’s computer, with that user’s privileges.
  • Safari certificate spoofing vulnerability. According to Apple, Safari suffers from an unspecified SSL certificate validation vulnerability. To exploit this vulnerability, an attacker must first entice your user to a legitimate web site that has a legitimate SSL certificate, then re-direct your user to a malicious web site. The malicious web site will appear to have the same SSL certificate as the legitimate site, and thus inherit the trust you give the legitimate site. An attacker could exploit this flaw to steal your login credentials or any other information associated with the legitimate site.
  • Multiple XSS vulnerabilities in Safari. Safari and some of its components (WebCore and WebKit) suffer from nine Cross-Site Scripting (XSS) vulnerabilities. Though the vulnerabilities differ technically, an attacker could exploit them in the same way, and with similar results. If an attacker can entice one of your users into clicking a malicious link, he can exploit these flaws to execute scripts on that user’s computer with that user’s privileges. These scripts could do anything from reading the user’s cookies to gaining complete control of his PC. For a more general understanding of XSS attacks, see our article, “Anatomy of a Cross-Site Scripting Attack.”

Apple’s alert includes a few more flaws, including a web site spoofing vulnerability and password disclosure flaw. For more details on these flaws, refer to Apple’s alert.

Solution Path:

Apple has released Safari 3.1 for OS X and Windows to correct these security vulnerabilities. Safari users should download and install version 3.1 as soon as possible.

Note: You can also use Apple and OS X’s Software Update utility to install the Safari 3.1 update for you automatically.

For All Users:

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

Apple released Safari 3.1 to fix these flaws.

References:

 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Sunday, 22 December 2024
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Blog Archive

Recent Comments

Tip of the Week: Which Headphones are Right for Your Needs?
23 April 2018
I will recommend Plantronics Backbeat Pro 2 SE Noise cancelling Headset with it's Great features.
Gamification: Make Business Fun for Everyone
27 January 2017
The world is based on the games. There are many types of games as per the aussie essay writing servi...
Let's Talk Tablets
12 January 2017
The concept of tablet is far better than that of PC because you can bring them with you everywhere a...
Tip of the Week: Tweak Your Workday in These 4 Ways and See Major Results
12 January 2017
The only thing will I will say regarding this blog is that it is very helpful at least for me. As I ...
WatchGuard Releases Version 10.2.7 for WSM, Edge, Fireware, and Fireware Pro
23 December 2016
I really needed to know about the fireware but i was confused that where can i find information abou...