Apple patches cross-site scripting vulnerabilities

Summary:Apple on Tuesday patched code execution and cross-site scripting vulnerabilities on Tiger, Leopard, Vista and XP in a Safari update that included 13 patches.Apple historically has delivered patches along with new feature or software updates.

Apple on Tuesday patched code execution and cross-site scripting vulnerabilities on Tiger, Leopard, Vista and XP in a Safari update that included 13 patches.

Apple historically has delivered patches along with new feature or software updates. It's easy to miss the security angle among the new Safari hubbub (Techmeme). Here's a look at the vulnerabilities Apple plugged with its latest update.

CVE-2008-1010: This update is for Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista and addresses problems with Webkit. The problem: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution, says Apple. As for the details:

A buffer overflow issue exists in WebKit's handling of JavaScript regular expressions. Enticing a user to visit a maliciously crafted webpage may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy and Will Drewry of Google Security Team for reporting this issue.

CVE-2008-1011: This patch addressed a cross scripting vulnerability in Webkit. The update is available for Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista. Apple notes: A cross-site scripting issue in WebKit allows method instances from one frame to be called in the context of another frame. Enticing a user to visit a maliciously crafted web page may lead to the disclosure of sensitive information. This update addresses the issue through improved handling of cross-domain method calls. Credit to David Bloom for reporting this issue."

Other CVEs were all variations on the same cross-scripting theme. By product and CVE number:

Safari: CVE-2008-1002. This update addresses JavaScript cross scripting problems. Platforms affected: Tiger, Leopard, XP and Vista. Apple says:

A cross-site scripting issue exists in the processing of JavaScript: URLs. Enticing a user to visit a maliciously crafted web page could allow the execution of JavaScript in the context of another site. This update addresses the issue by performing additional validation of JavaScript: URLs. Credit to Robert Swiecki of Google Information Security Team for reporting this issue.

Webcore (CVE-2008-1003, CVE-2008-1004, CVE-2008-1005, CVE-2008-1006, CVE-2008-1007, CVE-2008-1008, CVE-2008-1009): These updates address cross-scripting vulnerabilities of various flavors on Leopard, Tiger, XP and Vista.

Topics: Operating Systems, Apple, Hardware, Microsoft, Open Source, Software, Software Development, Windows

About

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.