Apple patches cross-site scripting vulnerabilities

Apple on Tuesday patched code execution and cross-site scripting vulnerabilities on Tiger, Leopard, Vista and XP in a Safari update that included 13 patches.Apple historically has delivered patches along with new feature or software updates.

Apple on Tuesday patched code execution and cross-site scripting vulnerabilities on Tiger, Leopard, Vista and XP in a Safari update that included 13 patches.

Apple historically has delivered patches along with new feature or software updates. It's easy to miss the security angle among the new Safari hubbub (Techmeme). Here's a look at the vulnerabilities Apple plugged with its latest update.

CVE-2008-1010: This update is for Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista and addresses problems with Webkit. The problem: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution, says Apple. As for the details:

A buffer overflow issue exists in WebKit's handling of JavaScript regular expressions. Enticing a user to visit a maliciously crafted webpage may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy and Will Drewry of Google Security Team for reporting this issue.

CVE-2008-1011: This patch addressed a cross scripting vulnerability in Webkit. The update is available for Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista. Apple notes: A cross-site scripting issue in WebKit allows method instances from one frame to be called in the context of another frame. Enticing a user to visit a maliciously crafted web page may lead to the disclosure of sensitive information. This update addresses the issue through improved handling of cross-domain method calls. Credit to David Bloom for reporting this issue."

Other CVEs were all variations on the same cross-scripting theme. By product and CVE number:

Safari: CVE-2008-1002. This update addresses JavaScript cross scripting problems. Platforms affected: Tiger, Leopard, XP and Vista. Apple says:

A cross-site scripting issue exists in the processing of JavaScript: URLs. Enticing a user to visit a maliciously crafted web page could allow the execution of JavaScript in the context of another site. This update addresses the issue by performing additional validation of JavaScript: URLs. Credit to Robert Swiecki of Google Information Security Team for reporting this issue.

Webcore (CVE-2008-1003, CVE-2008-1004, CVE-2008-1005, CVE-2008-1006, CVE-2008-1007, CVE-2008-1008, CVE-2008-1009): These updates address cross-scripting vulnerabilities of various flavors on Leopard, Tiger, XP and Vista.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All