Apple patches cross-site scripting vulnerabilities

Apple patches cross-site scripting vulnerabilities

Summary: Apple on Tuesday patched code execution and cross-site scripting vulnerabilities on Tiger, Leopard, Vista and XP in a Safari update that included 13 patches.Apple historically has delivered patches along with new feature or software updates.

SHARE:

Apple on Tuesday patched code execution and cross-site scripting vulnerabilities on Tiger, Leopard, Vista and XP in a Safari update that included 13 patches.

Apple historically has delivered patches along with new feature or software updates. It's easy to miss the security angle among the new Safari hubbub (Techmeme). Here's a look at the vulnerabilities Apple plugged with its latest update.

CVE-2008-1010: This update is for Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista and addresses problems with Webkit. The problem: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution, says Apple. As for the details:

A buffer overflow issue exists in WebKit's handling of JavaScript regular expressions. Enticing a user to visit a maliciously crafted webpage may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy and Will Drewry of Google Security Team for reporting this issue.

CVE-2008-1011: This patch addressed a cross scripting vulnerability in Webkit. The update is available for Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista. Apple notes: A cross-site scripting issue in WebKit allows method instances from one frame to be called in the context of another frame. Enticing a user to visit a maliciously crafted web page may lead to the disclosure of sensitive information. This update addresses the issue through improved handling of cross-domain method calls. Credit to David Bloom for reporting this issue."

Other CVEs were all variations on the same cross-scripting theme. By product and CVE number:

Safari: CVE-2008-1002. This update addresses JavaScript cross scripting problems. Platforms affected: Tiger, Leopard, XP and Vista. Apple says:

A cross-site scripting issue exists in the processing of JavaScript: URLs. Enticing a user to visit a maliciously crafted web page could allow the execution of JavaScript in the context of another site. This update addresses the issue by performing additional validation of JavaScript: URLs. Credit to Robert Swiecki of Google Information Security Team for reporting this issue.

Webcore (CVE-2008-1003, CVE-2008-1004, CVE-2008-1005, CVE-2008-1006, CVE-2008-1007, CVE-2008-1008, CVE-2008-1009): These updates address cross-scripting vulnerabilities of various flavors on Leopard, Tiger, XP and Vista.

Topics: Operating Systems, Apple, Hardware, Microsoft, Open Source, Software, Software Development, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Coincidence?

    I think not. But then again who knows. It is kind of ironic that Apple had their patches on a Tuesday when that is a day that MS typically does its patches. To be fair I am going to wonder if these patches will do any good or if the things they are supposed to fix will still be 'broken' in 6 months.
    Shelendrea
    • The whole industry has moved toward

      A patch Tuesday type schedule (days may vary) but roughly if everyone has to patch at the same time it makes sense to group em all together.
      Larry Dignan
      • Cisco has moved to a 6-month cycle

        Cisco has moved to a 6-month cycle.
        Oracle is on a 3-month cycle.

        The problem is that people almost never patch Cisco and Oracle because there is zero awareness for it.
        georgeou