Apple Patches CanSecWest Safari Bug
A week after Adobe patched the vulnerability used to compromise the Vista laptop at CanSecWest 08, Apple have released an update for Safari, through Security Advisory 2008-04-16, that addresses the vulnerability used to compromise the MacBook Air that was compromised the day before. The most up to date version of Safari is now 3.1.1.
From Apple's Advisory, released early on April 17, there are two vulnerabilities patched that affect only the Windows versions of Safari, and two that affect both OS X and Windows (in WebKit - the framework that Safari is built on).
For Windows users, the platform-specific vulnerabilities are a spoofing vulnerability where a site can modify the address bar contents through a timing flaw. This is a bug that was originally patched in version 3.0.2 but was reintroduced with Safari 3.1. The remaining Windows-specific flaw is a potential remote code execution / denial of service (application crash) bug where attempting to download a file with a maliciously crafted name can trigger a memory flaw that can either crash the application or execute arbitrary code.
The two WebKit vulnerabilities that affected both OS X and Windows were a vulnerability with the handling of URLs with a colon (:) in the host name, which could result in a cross site scripting attack and a JavaScript vulnerability that was used to hack the CanSecWest MacBook. The $10,000 vulnerability lay in the way that WebKit handled processing of regular expressions in JavaScript, allowing a page to then crash the browser, or execute arbitrary code as was done with the CanSecWest hack.
While the versions of WebKit supplied with Safari have been updated to address these problems, it does not appear that the changes have filtered through to the WebKit community, as there have not been any changes reported in the most recent nightly builds to address any errors with the handling of JavaScript regular expressions. It may be that the vulnerabilities are not present in the open source WebKit, but with a very large number of applications making use of WebKit, it might be worthwhile for concerned users to check whether the developers of those applications have released any recent updates.
A search through the WebKit Bugzilla (bug archive and tracking mechanism) returns a number of results for critical JavaScript errors, but does not return any entries for the error as described in Apple's advisory. The presence of the Bug archive raises an interesting problem for Apple as there is a lag between bugs being reported and addressed in WebKit nightlies and point releases and appearing in patches for the WebKit supplied with OS X / Safari for Windows. It is possible that closely-held exploits have been developed from information placed on the bug tracker, exploits for vulnerabilities that may not see patching in Apple's WebKit for some time, even with Apple developers providing many of the patches back into the WebKit trunk.
Users who want to update to the latest version of Safari can do so through the Apple Software Update application (in the Apple Menu on OS X), or through the Apple website.
19 April 2008
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.