Apple's Safari updates fix auto-complete vulnerability
The latest updates to Apple's Safari WebKit-based browser, versions 5.0.1 and 4.1.1, include several new features, such as enabling Safari Extensions and introducing the Safari Extensions Gallery,. They also address a number of security vulnerabilities. In total, the Safari updates close 15 security holes, many of them rated as critical by Apple.
In total, 13 of the vulnerabilities are related to problems caused by the browsers open source WebKit rendering engine, all of which could allow an attacker to crash a victims browser or execute arbitrary code on a user's system. The issues range from heap buffer overflows in the rendering engine's handling of JavaString objects, to memory corruption issues in the handling of floating elements in SVG documents and an uninitialized memory access issue in SVG text elements. According to Apple, for an attack to be successful, a victim must first visit a specially crafted web page.
The updates also address a cross-site scripting (XSS) issue in the way that Safari handles RSS feeds that could have allowed a maliciously crafted RSS feed to send files from the user's system to a remote server and an information disclosure vulnerability in the auto-complete feature used by the browser to fill in frequently used form fields, such as names or email addresses. As previously reported, the auto-complete vulnerability was discovered by Jeremiah Grossman of White Hat Security and initially reported to Apple on the 17th of June.
The vulnerability allows an attacker to retrieve auto-complete data from the browser using a simple script on a specially crafted web page. The malicious page would contain various input fields, such as name, email address or credit card number, and the script would try out all possible characters for the first character in these fields, in an attempt to trigger the auto-complete feature. If the browser then auto-completes the entry, the attackers script saves the resulting entry. A similar form of this attack scenario is already familiar from versions 6 and 7 of Microsoft Internet Explorer. Grossman says that, in combination with cross-site scripting, Chrome and Firefox are also said to be vulnerable.
Safari 5.0.1 is available to download for Mac OS X 10.5.8 Leopard, 10.6.2 Snow Leopard and Windows XP SP2 or later. Alternatively, Safari 4.1.1 provided for users running Mac OS X 10.4.11 Tiger. Mac OS X users can upgrade to the latest release via the built-in Software Update function. All users are advised to upgrade to the latest release as soon as possible.
- About the security content of Safari 5.0.1 and Safari 4.1.1, security advisory from Apple.
- Apple Updates Safari 5, press release from Apple.
- Apple's Safari 5 Reader incorporates open source tool, a report from The H.