REALTIME IT NEWS

Blogs | 7 Day Summary | JustTechJobs

Newsletters

Select newsletters below and click the button to sign up!

Become a Marketplace Partner

Partner With Us

Internet.com / Blogs

All Internet.com / Blogs

Internetnews Bloggers

Recent Entries

Archives

Monthly Archives

Search The Blog

Netstat -vat by Sean Michael Kerner (bio )

A command line view of IT

« Mozilla Firefox 3.6 Beta 2 fixes 186 bugs | Sean Michael Kerner Blog | Google to make the web SPDY with new web protocol »

Apple Safari 4.0.4 updated for 7 security flaws

By Sean Michael Kerner on November 12, 2009 9:50 AM

From the 'WebKit Flaws' files:

Apple is updating its Safari web browser to version 4.0.4 to fix 7 identified CVE's (Common Vulnerabilities and Exposures) spread across both Mac and Windows versions of the software.

Three of the fixes are for Safari's core WebKit rendering engine and in my opinion they're critical issues. What's particularly interesting is how the issues were identified in one case by Google and in the other by Apple. Both Google and Apple rely on WebKit as the key rendering infrastructure for their respective browsers.

One of the issues is a Cross Site Request Forgery (CSRF) flaw in how WebKit enables a page from one location to access a resource in another place.

"WebKit sends a preflight request to the latter server for access to the resource," Apple's advisory states. "WebKit includes custom HTTP headers specified by the requesting page in the preflight request. This can facilitate cross-site request forgery."

That's pretty serious and in my opinion, not terribly difficult to execute either. What makes this vulnerability even more ominous is the fact that it's in WebKit, it could potentially have found its way into the iPhone or Google's Chrome too. This particular vulnerability was discovered by Apple's own security researchers.

Google recently patched Chrome for a number of security issues.

The other WebKit fix in Safari 4.0.4 deals with WebKit's handling of FTP directory listings. In the WebKit FTP case, Apple credits Michal Zalewski of Google Inc. for reporting the issue. According to Apple, accessing a maliciously crafted FTP server could have potentially led to arbitrary code execution.

Last but not least, another WebKit fix deals with a HTML 5 issue related to loading audio and video content. The flaw could potentially have enabled a browser to load remote content even when the user had already disabled the feature.

Apple's last Safari update, version 4.0.3 came out in August and fixed 6 flaws.

Permalink | Comments (0) | TrackBacks (0) | Share

Share this Article

Google Bookmarks

Yahoo Favorites

0 TrackBacks

Listed below are links to blogs that reference this entry: Apple Safari 4.0.4 updated for 7 security flaws.

TrackBack URL for this entry: https://swarm.jupitermedia.com/mt-tb.cgi/9260

Leave a comment