• Another Zero-Day Hole Found in Safari

    Safari 4.0.5 has what researchers are calling a "highly critical" vulnerability that can potentially allow a hacker to install malware on Windows PCs. Analysts from Secunia, the security service provider from Denmark, believe that the same hole could exist on the Mac version as well, but this has not yet been confirmed. As yet there have been no known attacks in the wild exploiting the vulnerability.

    The zero-day hole involves a bug in the way Safari handles parent windows that would allow an attacker "to execute arbitrary code when a user visits a specially-crafted webpage and closes opened pop-up windows," Secunia's advisory reads. The US government's Computer Emergency Readiness Team (CERT) confirmed the vulnerability, and additionally notes that the hole can be exploited by HTML mail that's read using Safari, putting users of services like Gmail and Hotmail at risk. The US CERT warns that "exploit code for this vulnerability is publicly available."

    Polish researcher Krystian Koskowski discovered the hole, and executed a proof-of-concept hack in Secunia's labs. The firm gives the vulnerability "highly critical," the second-highest rating on its five-level scale.

    Apple has not commented on the reports, though they have been notified by Secunia and are likely getting a lot of attention from the cybersecurity guys at the US Department of Homeland Security. Until a patch is released, users are advised to disable JavaScript in the "Security" tab of Safari's preferences screen, and to never authenticate to sites that use HTTP basic authentication redirect you to a different domain.
  • Connect With Us

  • Twitter Box

  • Facebook