Apple Safari jumbo patch: 50+ vulnerabilities fixed

Apple Safari jumbo patch: 50+ vulnerabilities fixed

Summary: Apple has shipped a whopper of a Safari browser update to fix more than 50 vulnerabilities, some rated extremely critical.The latest fixes, available in the new Safari 4.

SHARE:

Apple has shipped a whopper of a Safari browser update to fix more than 50 vulnerabilities, some rated extremely critical.

The latest fixes, available in the new Safari 4.0, corrects a wide range of code execution and denial-of-service vulnerabilities and even comes with a fix for the vexing "clickjacking" issues plaguing modern Web browsers.

[ SEE: Webcam hijack demo highlights clickjacking threat ]

Several proof-of-concept examples of clickjacking, also known as URI redressing, show how clicks on one Web page can actually apply to clicks on page that’s invisible to the end user. It is a problem that affects all the major Web browsers and it appears Apple is pushing out a fix for Mac and Windows users.

how clicks on one Web page can actually apply to clicks on page that’s invisible to the end user.

  • WebKit (CVE-2009-1681): A design issue exists in the same-origin policy mechanism used to limit interactions between websites. This policy allows websites to load pages from third-party websites into a subframe. This frame may be positioned to entice the user to click a particular element within the frame, an attack referred to as "clickjacking". A maliciously crafted website may be able to manipulate a user into taking an unexpected action, such as initiating a purchase. This update addresses the issue through adoption of the industry-standard 'X-Frame-Options' extension header, that allows individual web pages to opt out of being displayed within a subframe.

The latest Safari refresh also fixes five documented several code execution issues in CoreGraphics (all could lead to complete computer takeover attacks); an ImageIO issue that could be exploited via maliciously crafted PNG images; 5 flaws in libxml; and a variety of WebKit vulnerabilities that affect Safari on both Mac and Windows systems.

Topics: Browser, Apple, Hardware, Microsoft, Operating Systems, Servers, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

36 comments
Log in or register to join the discussion
  • Of interest

    Advisory here:

    http://support.apple.com/kb/HT3613

    TippingPoint's Zero Day Initiative credited with three CVE's.

    The big headline one exploiting SVG animation elements:
    CVE-ID: CVE-2009-1709
    Richard Flude
  • Anyone want to bet

    on which vendor will take the top spot of most vulnerable 2009? With this speed Apple is clearly going for the gold.
    honeymonster
    • The most vulnerable or fixed the most vulnerabilities?

      The most vulnerable will be the same in 2009 as previously. Measure
      them by the number exploited.
      Richard Flude
      • I love that spin

        Naturally when you fix 50+ vulns there now are 50 less vulnerabilities. So that must be good, right? (except when it's Microsoft).

        But what does it say about a product (or even a vendor) with <i>sustained</i> during 3+ years many times over the vulnerabilities?

        Because that is the situation with Apple.

        Double standards and apologies.
        honeymonster
        • And yet

          still nothing significant in the wild. Interesting. Perhaps the "potential"
          exploits aren't so easily translated into actual exploits.
          frgough
          • Ah, the <i>secret sauce</i> of OSX

            which magically makes it invulnerable to gaping vulnerabilities.

            "<i>Perhaps the "potential" exploits aren't so easily translated into actual exploits.</i>"

            Aware of the still gapingly open Java Data class deserialization bug in OSX Java?

            That vulnerability affects 99% of macs, namely every single mac where the admin hasn't explicitly disabled Java.

            That vulnerability has a public proof-of-concept exploit. It will run any code or app by the attackers choice on your mac.

            There is <b>no secret sauce</b> protecting against that one. Information about it has been public for 6+ months.

            Still no exploit. Is there any other explanation than the fact that the bad guys still don't bother.

            <b>Security on OSX is still a function of obscurity.</b> It is certainly not a function of software quality (as evidenced by the number of vulnerabilities) or of due diligence by the vendor (as demonstrated by the lag attitude towards the Java bug).

            There is no secret sauce. Wake up.

            OSX is <i>the operating system</i> with the fewest as most poorly implemented anti-exploit mechanisms.

            OSX is <i>the operating system</i> with consistently more vulnerabilities than any other OS.
            honeymonster
          • Or maybe they can't

            Beyond the testing labs...

            [i]Still no exploit. Is there any other explanation than the fact that the bad guys still don't bother.[/i]
            Wintel BSOD
          • Not a wee bit concerned

            that attackers can start <i>any</i> application on your mac and run <i>any</i> code in the background?

            Ignorance is knee-deep in here.

            honeymonster
          • Well let's see it happen

            And quit the fear mongering speculation. If I really believed you were concerned, you'd be writing to Apple about this.

            Right? ;)
            Wintel BSOD
          • Sure they are. Given sufficient incentive.

            PWN2OWN demonstrated that, given sufficient incentive, OS X falls first.
            ye
          • The incentive's already there

            With almost 10% of the market, there's millions to be made off that. Untouched.

            Gee, maybe they're having difficulties...

            lol... :D
            Wintel BSOD
        • Actually it's basic English comprehension

          The number of fixed vulnerabilities not not equate how vulnerable an
          OS is. It only shows how potentially vulnerable the OS was (potentially
          because the vulnerabilities may never have been exploited or indeed
          exploitable).

          Publicly disclosed vulnerabilities that haven't been fixed, number of
          exploits, their severity, attack surface, and number of attackers will
          give you a much better indication how vulnerable is your OSes. Easier
          still is the number of exploited machines.

          What is spin to the MSCE is actually just basic English comprehension.
          Many factors need to be reviewed for security, the simplistic analysis
          common on ZDNet is not sufficient.

          Apple needs to improve it's security. I have never claimed otherwise,
          but this by itself doesn't make it more vulnerable than the alternatives.
          Richard Flude
          • Apple reality distortion field

            Many Apple vulnerabilities good, because it shows that there now are many fewer vulnerabilities.

            Many Apple vulnerabilities for many years good, because now we have many, many fewer vulnerabilities left.

            Good thing that Apple had the foresight to put in so many vulnerabilities from the start so that they could keep this special Apple security going for years.
            honeymonster
          • Which says absolutely nothing...

            ...other than your bitterness towards a minority OS that you probably don't know how to use.
            Wintel BSOD
          • The truth hurts. But you wil et over it. (nt)

            honeymonster
          • What truth?

            That your hear to spread FUD.

            Well no doubt about that...
            Wintel BSOD
          • Reality Hurts!

            I work with both - I service both... Have been around both the industry for 20+ years... So enough with the 'you talk trash abou the Mac and probably don't even know how to use one' garbage you throw at people who disagree with you...

            Is a Yugo 'more secure' just because it has been stolen fewer times than a Mercedes? (no, I'm not calling Mac a Yugo and Windows a Mercedes - and if you think that is the point then please stop reading now because all that sand packed in the hole along with your head is distorting your view... Please read on for the sake of securtiy with a tinge of logic and set aside your 'love' for Mac and 'hatred' for Windows)

            Mac users believe they are invulnerable... They need to get over it... No one is saying that 'Windows is 100% secure'... what they are saying is that 'if an OS can be created it can be hacked' and so can a browser... If you don't believe that then learn to program and see for yourself...

            Would you leave your doors unlocked just because your has never been vandalized in the past?

            When someone says '10% of the market is Mac and no attacks so it must be impossible' they are being ignorant... They need to bear in mind that 10% Mac means 90% 'something else' - which is more profitable and/or 'fun' for the hacker - 10% or 90%?

            Accept reality - I don't hate Macintosh, I don't think Windows is perfect... I just live in reality where security is not based on 'I feel safer' but rather 'I understand the risks on all sides and do what I feel reasonable to mitigate them'...

            Use whichever platform you like but don't stick your head in the sand about security just because you've not been hit...

            Question - since you obviously use a Mac and you likely don't use AV or any other security software how do you know you've not been hit?

            Does not knowing the answer to that question help you sleep at night?

            And on the flip side...

            I've seen Windows users that have never had AV or any security software since day 1 and on checks of their system they are perfectly clean - does that 'prove' that their Windows system is safer than any other system out there? I still recommend to them that they get some security software. I've also seen systems with all the protection and still got hit. Though I will observe that seems to prove that 'habits' can be an excellent securtiy feature - and that ignorance (a false sense of security - like believing any computer is 'hack proof') is a very dangerous thing.
            kjpino
          • Again, what reality?

            [i]I work with both - I service both... Have been around both the industry for 20+ years...[/i]

            Sure ya do, uh-huh....

            [i]So enough with the 'you talk trash abou the Mac and probably don't even know how to use one' garbage you throw at people who disagree with you...[/i]

            LOL... Look who's talking.

            [i]Is a Yugo 'more secure' just because it has been stolen fewer times than a Mercedes? (no, I'm not calling Mac a Yugo and Windows a Mercedes -[/i]

            Uh, when I see Apples being attacked on the same level as Windoze (as you Windoze fanboys claim it is), then I'll take your word for it. Until then, it's all pie in the sky controlled experiments. Glad to see Apple is acting on plugging some of those vulnerabilities, though...

            Btw, I don't use an Apple on a regular basis, so I have no personal stake in this.

            [i]Please read on for the sake of securtiy with a tinge of logic and set aside your 'love' for Mac and 'hatred' for Windows)[/i]

            As opposed of your 'love' for Windoze and your 'hatred' of the Mac?

            ;)

            [i]Mac users believe they are invulnerable... They need to get over it...[/i]

            What do you care? Are you a Mac user?

            If your aren't, then we already know where this is coming from. The tired old honeymonster approach.

            If you are, then maybe you should be writing to Apple about this or posting your concerns on their forums or at MacWorld's. I'm sure they'll appreciate it.

            [i]Would you leave your doors unlocked just because your has never been vandalized in the past?[/i]

            Would you really care if I did?

            [i]When someone says '10% of the market is Mac and no attacks so it must be impossible' they are being ignorant... They need to bear in mind that 10% Mac means 90% 'something else' - which is more profitable and/or 'fun' for the hacker - 10% or 90%?[/i]

            Yes, the same old FUD security by obscurity approach. Only now you're going to tell me there aren't millions to be made even by attacking that 10%

            Let me tell you something. There's millions to be made off that 10%, only the script kiddies don't know how. Otherwise they would have done it by now. So give it a rest.

            [i]Question - since you obviously use a Mac and you likely don't use AV or any other security software how do you know you've not been hit?[/i]

            How do I know I am. And as I said, I'm not a regular Mac user, although I do recommend that users download all the patches Apple releases.

            [i]Does not knowing the answer to that question help you sleep at night?[/i]

            That doesn't matter to me. What does matter are the lies being spread here by Windoze shills who feel very threatened by Apple and Linux. That's a good thing. It means the 'insignificant' minority is having an impact. ;)

            [i] - and that ignorance (a false sense of security - like believing any computer is 'hack proof') is a very dangerous thing.[/i]

            Again, what do you care? Shame on me. If I don't secure my machine properly then that's my fault, not yours. Ok?
            Wintel BSOD
          • Keep freaking, Windows geeks...

            It just illustrates how far Apple has come and how scared you are of it.
            comp_indiana
        • How is it spin?

          I don't care about many vulnerabilities are
          found as long as they are fixed quickly - this
          goes for Microsoft and Apple. These security
          problems cannot be avoided unless we suddenly
          (and magically) started using safe languages
          that avoids all these security problems. Until
          that day occurs, we'll be stuck with security
          problems and vendors racing to fix them up as
          they arise.

          Microsoft since Windows XP SP2 have been on the
          ball and Apple have too with the employment of
          a new security tsar. I don't know why you need
          to fester up hate given that Microsoft wasn't
          mentioned by anyone else except by you.
          Kaiwai