Apple Safari exposes Windows to drive-by download attacks

Apple Safari exposes Windows to drive-by download attacks

Summary: A high-priority Safari update patches vulnerabilities that allow remote code execution (drive-by downloads) if a user simply surfs to a maliciously rigged Web site.


Apple today shipped Safari 4.0.4 to fix a total of seven security flaws that expose Windows and Mac users to a wide range of malicious hacker attacks.

The high-priority update patches vulnerabilities that allow remote code execution (drive-by downloads) if a user simply surfs to a maliciously rigged Web site.  Some of the issues affect Microsoft's new Windows 7 operating system.

The skinny from an Apple advisory:

  • ColorSync (CVE-2009-2804) -- Available for Windows 7, Windows Vista and Windows XP --  An integer overflow exists in the handling of images with an embedded color profile, which may lead to a heap buffer overflow. Opening a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution. This vulnerability was internally discovered by Apple.
  • libxml CVE-2009-2414 and CVE-2009-2416 -- Available for:  Mac OS X Windows 7, Windows Vista and Windows XP -- Multiple use-after-free issues exist in libxml2, the most serious of which may lead to an unexpected application termination. This update addresses the issues through improved memory handling. The issues have already been addressed in Mac OS X 10.6.2, and in Security Update 2009-006 for Mac OS X 10.5.8 systems.
  • Safari -- CVE-2009-2842 -- Available for:  Mac OS X, Windows 7, Windows Vista and Windows XP -- An issue exists in Safari's handling of navigations initiated via the "Open Image in New Tab", "Open Image in New Window", or "Open Link in New Tab" shortcut menu options. Using these options within a maliciously crafted website could load a local HTML file, leading to the disclosure of sensitive information.
  • WebKit -- CVE-2009-2816 -- Available for Mac OS X,  Windows 7, Windows Vista and Windows XP -- An issue exists in WebKit's implementation of Cross-Origin Resource Sharing. Before allowing a page from one origin to access a resource in another origin, WebKit sends a preflight request to the latter server for access to the resource. WebKit includes custom HTTP headers specified by the requesting page in the preflight request. This can facilitate cross-site request forgery. Internally discovered by Apple.
  • WebKit -- CVE-2009-3384 -- Available for Windows 7, Windows Vista and Windows XP --  Multiple vulnerabilities exist in WebKit's handling of FTP directory listings. Accessing a maliciously crafted FTP server may lead to information disclosure, unexpected application termination, or execution of arbitrary code. This update addresses the issues through improved parsing of FTP directory listings. These issues do not affect Safari on Mac OS X systems.
  • WebKit -- CVE-2009-2841 --  Available for Mac OS X (client and server) -- When WebKit encounters an HTML 5 Media Element pointing to an external resource, it does not issue a resource load callback to determine if the resource should be loaded. This may result in undesired requests to remote servers. As an example, the sender of an HTML-formatted email message could use this to determine that the message was read. This issue is addressed by generating resource load callbacks when WebKit encounters an HTML 5 Media Element. This issue does not affect Safari on Windows systems.

The browser update is being pushed to Mac and Windows systems via Apple's software update utilities.  Alternatively, Safari users can download the patches from Apple's download site.

Topics: Operating Systems, Apple, Hardware, Microsoft, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • "May lead"?

    Whenever I see these kinds of statements, regardless of platform, I
    always wonder if the "may" in "may lead to?arbitrary code execution"
    is equivalent to the odd, statistically improbable and realistically
    negligible but observed drug side-effect possibilities, like dry-mouth
    from eye drops or headaches from suppositories or whether it's like
    the "may contain peanuts" warning on the wrapper of a Baby Ruth?

    I'm sure some of these are real (i.e. likely encountered/utilized)
    threats, but how "maliciously crafted" does an image with "an
    embedded color profile" have to be? Are we talking about adding a few
    lines of text in the header of a file or carefully constructing a rigidly-
    defined binary payload specifically inserted at a particular point in the
    bitstream? In other words is this a "pwned every time" situation or a
    case of [i]maybe[/i] a team of 30 russian PhD candidates with 10 man-
    years of effort and a Cray could generate a file that if every, single one
    of 27 necessary conditions were absolutely optimal it works 1 in 3
    • May lead meaning

      They haven't confirmed 100% for sure that it can
      be done.

      Also, note that all of the code execution
      vulnerabilities only affect the Windows version.

      Conspiracy by Apple, or is Windows just less
  • no problem for Linux

    as always.
    Linux Geek
    • No Safari on Linux... <NT>

      • therefore, no problem on linux...

        got it?
        • So why mentionning it...

          It's like if they find a security flaw on Synaptic and then your opposing cults say "No problem for Windows/MacOSX".

          it's just stating the obvious.
          • What was the point of your post, Ceridan? You're stating the obvious!

            Don't rail on someone for doing something [i]as
            you yourself do it[/i].
    • Nor is it a problem for DOS, CP/M and a clay tablet and stick

      Linux, all the features of MS-DOS with fewer applications and less games ;-)
      • your stupidity and ignorance is your problem

        you don't have to show it to the whole world
        • Right on ljenux

          Thanks for clearly illustrating to us all the kind of personality & behavior that only a mother could love and which damages the credibility of Linux & OSS every time you open your mouth/keyboard.

          You're a credit to your cause.

          • You do get that he's a paid MS shill, right?

            His posts are all obvious straw-mans.
          • The Next/Previous Buttons...

            ...have disappeared AGAIN, after #10 post.
            This happens just too frequently to me only so far on ZDNet.
            Don't know any other way to let ZDNet know.
    • Linux has no problems...really?

      As have your head firmly implanted up your a$$.
      • Affected by one of those problems..

        When I updated my laptop's Ubuntu install... my toutchpad got disabled.... I had to reinstall Ubuntu so it would work aggain.
        • You sir are a LIAR!

          I'll save ljenux the trouble of having to say it. We all know that Linux is perfect and has never had an error occur. So please stop the FUD. Oh and for good measure I have to say M$, Microsloth, Microshaft, Microsoft Shill, yadda yadda yadda.

          I think that mess right about sums it up.

          $ sudo apt-get install truth
          • ...

            I'm trying to decide if you are trying to do a sarcastic joke or if your actually idiotic enought to call me a liar on a problem I had... that is documented on a Ubuntu forum post...
          • WOW

            Denial is an ugly thing. Some people get really touchy when defending their deity.
    • Aren't libxml and webkit also for Linux?

      Correct me if I'm wrong, but shouldn't Linux be listed up there as well with regard to libxml and webkit? I'm sure there are people using Chrome on Linux, and libxml is a common library found on just about every *nix distribution out there.
      • Apparently the way it's implemented on *nix is unaffected by this.

  • Aggain?

    This is the second time Apple have drive-by download attack vectors...

    i'm glad I don't use that thing on my PC.