Omniweb Mac browser executes malicious code
The seventh bug in the Month of Apple Bugs affects the alternative Mac OS X browser Omniweb. Malicious code can be injected and executed with the user's privileges, through a format string vulnerability in the JavaScript function alert. However, although a test by heise Security editorial staff of the provided POC (Proof Of Concept) code on version 5.5.1 of Omniweb, did cause the predicted crash, it left the current version 5.5.2 of the browser unaffected, other than merely presenting a string in a pop-up window. Shell code to infiltrate programs is not included in the POC.
- OmniWeb JavaScript alert() Format String Vulnerability, bug report from MOAB
(trk)