Two vulnerabilities in Windows Safari
Argentinian hacker Juan Pablo Lopez Yacubian has discovered two security vulnerabilities in version 3.1. of Apple's Safari browser, which was released last week. The vulnerabilities can be exploited by attackers to fake page content or possibly to inject malicious code.
Yacubian has posted two demo web pages on Geocities which illustrate the vulnerabilities in version 3.1 (build 525.13) of Safari for Windows. Because Geocities integrates its own HTML code into web pages, the pages will have to be edited a little to remove the Geocities code before the demos will work. In tests, one demo used JavaScript to insert fake content into a page from the Google Argentina website and a ZIP file with a very long filename on the second demo page caused Safari to crash and disappear from the desktop. We were not able to reproduce the bug under Mac OS X using the demo page.
An update to fix the vulnerabilities is not yet available. Until an update is released, users of the Windows version of Safari in particular should therefore avoid following links from emails or on websites to sites which require entry of personal credentials, such as online banking login details.
See also:
- Demonstration of the spoofing vulnerability in Safari by Juan Pablo Lopez Yacubian
- Demonstration of the memory access error in Safari by Juan Pablo Lopez Yacubian (caution - vulnerable browsers will crash.)
(mba)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
