ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Apple Safari jumbo patch: 50+ vulnerabilities fixed

By | June 8, 2009, 1:17pm PDT

Summary: Apple has shipped a whopper of a Safari browser update to fix more than 50 vulnerabilities, some rated extremely critical. The latest fixes, available in the new Safari 4.0, corrects a wide range of code execution and denial-of-service vulnerabilities and even comes with a fix for the vexing “clickjacking” issues plaguing modern Web browsers. [ SEE: Webcam [...]

Apple has shipped a whopper of a Safari browser update to fix more than 50 vulnerabilities, some rated extremely critical.

The latest fixes, available in the new Safari 4.0, corrects a wide range of code execution and denial-of-service vulnerabilities and even comes with a fix for the vexing “clickjacking” issues plaguing modern Web browsers.

[ SEE: Webcam hijack demo highlights clickjacking threat ]

Several proof-of-concept examples of clickjacking, also known as URI redressing, show how clicks on one Web page can actually apply to clicks on page that’s invisible to the end user. It is a problem that affects all the major Web browsers and it appears Apple is pushing out a fix for Mac and Windows users.

how clicks on one Web page can actually apply to clicks on page that’s invisible to the end user.

  • WebKit (CVE-2009-1681): A design issue exists in the same-origin policy mechanism used to limit interactions between websites. This policy allows websites to load pages from third-party websites into a subframe. This frame may be positioned to entice the user to click a particular element within the frame, an attack referred to as “clickjacking”. A maliciously crafted website may be able to manipulate a user into taking an unexpected action, such as initiating a purchase. This update addresses the issue through adoption of the industry-standard ‘X-Frame-Options’ extension header, that allows individual web pages to opt out of being displayed within a subframe.

The latest Safari refresh also fixes five documented several code execution issues in CoreGraphics (all could lead to complete computer takeover attacks); an ImageIO issue that could be exploited via maliciously crafted PNG images; 5 flaws in libxml; and a variety of WebKit vulnerabilities that affect Safari on both Mac and Windows systems.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Apple Macintosh, Microsoft Windows XP, Update, Microsoft Windows Vista, Mac OS X Server, Server, Apple Inc., Microsoft Windows, Issue, Web Site, Arbitrary Code Execution, AppleSafari 4.0, Description, Application Termination, Safari 4.0, Apple Mac OS X, Apple Mac OS, Operating Systems, Software, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
36
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Apple Safari jumbo patch: 50 vulnerabilities fixed
birumut Updated - 2nd May 2011
Great!!! thanks for sharing this information to us!
seslisohbet seslichat
View in thread
0 Votes
+ -
Of interest
Richard Flude 8th Jun 2009
Advisory here:

http://support.apple.com/kb/HT3613

TippingPoint's Zero Day Initiative credited with three CVE's.

The big headline one exploiting SVG animation elements:
CVE-ID: CVE-2009-1709
0 Votes
+ -
Anyone want to bet
honeymonster 8th Jun 2009
on which vendor will take the top spot of most vulnerable 2009? With this speed Apple is clearly going for the gold.
0 Votes
+ -
The most vulnerable or fixed the most vulnerabilities?
Richard Flude 8th Jun 2009
The most vulnerable will be the same in 2009 as previously. Measure
them by the number exploited.
0 Votes
+ -
I love that spin
honeymonster Updated - 8th Jun 2009
Naturally when you fix 50+ vulns there now are 50 less vulnerabilities. So that must be good, right? (except when it's Microsoft).

But what does it say about a product (or even a vendor) with sustained during 3+ years many times over the vulnerabilities?

Because that is the situation with Apple.

Double standards and apologies.
0 Votes
+ -
And yet
frgough 8th Jun 2009
still nothing significant in the wild. Interesting. Perhaps the "potential"
exploits aren't so easily translated into actual exploits.
0 Votes
+ -
Ah, the secret sauce of OSX
honeymonster Updated - 8th Jun 2009
which magically makes it invulnerable to gaping vulnerabilities.

" Perhaps the "potential" exploits aren't so easily translated into actual exploits. "

Aware of the still gapingly open Java Data class deserialization bug in OSX Java?

That vulnerability affects 99% of macs, namely every single mac where the admin hasn't explicitly disabled Java.

That vulnerability has a public proof-of-concept exploit. It will run any code or app by the attackers choice on your mac.

There is no secret sauce protecting against that one. Information about it has been public for 6+ months.

Still no exploit. Is there any other explanation than the fact that the bad guys still don't bother.

Security on OSX is still a function of obscurity. It is certainly not a function of software quality (as evidenced by the number of vulnerabilities) or of due diligence by the vendor (as demonstrated by the lag attitude towards the Java bug).

There is no secret sauce. Wake up.

OSX is the operating system with the fewest as most poorly implemented anti-exploit mechanisms.

OSX is the operating system with consistently more vulnerabilities than any other OS.
0 Votes
+ -
Or maybe they can't
Wintel BSOD 9th Jun 2009
Beyond the testing labs...

Still no exploit. Is there any other explanation than the fact that the bad guys still don't bother.
0 Votes
+ -
Not a wee bit concerned
honeymonster 9th Jun 2009
that attackers can start any application on your mac and run any code in the background?

Ignorance is knee-deep in here.

0 Votes
+ -
Well let's see it happen
Wintel BSOD 9th Jun 2009
And quit the fear mongering speculation. If I really believed you were concerned, you'd be writing to Apple about this.

Right? wink
0 Votes
+ -
Sure they are. Given sufficient incentive.
ye 9th Jun 2009
PWN2OWN demonstrated that, given sufficient incentive, OS X falls first.
0 Votes
+ -
The incentive's already there
Wintel BSOD 9th Jun 2009
With almost 10% of the market, there's millions to be made off that. Untouched.

Gee, maybe they're having difficulties...

lol... grin
0 Votes
+ -
Actually it's basic English comprehension
Richard Flude Updated - 8th Jun 2009
The number of fixed vulnerabilities not not equate how vulnerable an
OS is. It only shows how potentially vulnerable the OS was (potentially
because the vulnerabilities may never have been exploited or indeed
exploitable).

Publicly disclosed vulnerabilities that haven't been fixed, number of
exploits, their severity, attack surface, and number of attackers will
give you a much better indication how vulnerable is your OSes. Easier
still is the number of exploited machines.

What is spin to the MSCE is actually just basic English comprehension.
Many factors need to be reviewed for security, the simplistic analysis
common on ZDNet is not sufficient.

Apple needs to improve it's security. I have never claimed otherwise,
but this by itself doesn't make it more vulnerable than the alternatives.
0 Votes
+ -
Apple reality distortion field
honeymonster 8th Jun 2009
Many Apple vulnerabilities good, because it shows that there now are many fewer vulnerabilities.

Many Apple vulnerabilities for many years good, because now we have many, many fewer vulnerabilities left.

Good thing that Apple had the foresight to put in so many vulnerabilities from the start so that they could keep this special Apple security going for years.
0 Votes
+ -
Which says absolutely nothing...
Wintel BSOD 9th Jun 2009
...other than your bitterness towards a minority OS that you probably don't know how to use.
0 Votes
+ -
The truth hurts. But you wil et over it. (nt)
honeymonster 9th Jun 2009
0 Votes
+ -
What truth?
Wintel BSOD 9th Jun 2009
That your hear to spread FUD.

Well no doubt about that...
0 Votes
+ -
Reality Hurts!
kjpino 10th Jun 2009
I work with both - I service both... Have been around both the industry for 20+ years... So enough with the 'you talk trash abou the Mac and probably don't even know how to use one' garbage you throw at people who disagree with you...

Is a Yugo 'more secure' just because it has been stolen fewer times than a Mercedes? (no, I'm not calling Mac a Yugo and Windows a Mercedes - and if you think that is the point then please stop reading now because all that sand packed in the hole along with your head is distorting your view... Please read on for the sake of securtiy with a tinge of logic and set aside your 'love' for Mac and 'hatred' for Windows)

Mac users believe they are invulnerable... They need to get over it... No one is saying that 'Windows is 100% secure'... what they are saying is that 'if an OS can be created it can be hacked' and so can a browser... If you don't believe that then learn to program and see for yourself...

Would you leave your doors unlocked just because your has never been vandalized in the past?

When someone says '10% of the market is Mac and no attacks so it must be impossible' they are being ignorant... They need to bear in mind that 10% Mac means 90% 'something else' - which is more profitable and/or 'fun' for the hacker - 10% or 90%?

Accept reality - I don't hate Macintosh, I don't think Windows is perfect... I just live in reality where security is not based on 'I feel safer' but rather 'I understand the risks on all sides and do what I feel reasonable to mitigate them'...

Use whichever platform you like but don't stick your head in the sand about security just because you've not been hit...

Question - since you obviously use a Mac and you likely don't use AV or any other security software how do you know you've not been hit?

Does not knowing the answer to that question help you sleep at night?

And on the flip side...

I've seen Windows users that have never had AV or any security software since day 1 and on checks of their system they are perfectly clean - does that 'prove' that their Windows system is safer than any other system out there? I still recommend to them that they get some security software. I've also seen systems with all the protection and still got hit. Though I will observe that seems to prove that 'habits' can be an excellent securtiy feature - and that ignorance (a false sense of security - like believing any computer is 'hack proof') is a very dangerous thing.
0 Votes
+ -
Again, what reality?
Wintel BSOD 10th Jun 2009
I work with both - I service both... Have been around both the industry for 20+ years...

Sure ya do, uh-huh....

So enough with the 'you talk trash abou the Mac and probably don't even know how to use one' garbage you throw at people who disagree with you...

LOL... Look who's talking.

Is a Yugo 'more secure' just because it has been stolen fewer times than a Mercedes? (no, I'm not calling Mac a Yugo and Windows a Mercedes -

Uh, when I see Apples being attacked on the same level as Windoze (as you Windoze fanboys claim it is), then I'll take your word for it. Until then, it's all pie in the sky controlled experiments. Glad to see Apple is acting on plugging some of those vulnerabilities, though...

Btw, I don't use an Apple on a regular basis, so I have no personal stake in this.

Please read on for the sake of securtiy with a tinge of logic and set aside your 'love' for Mac and 'hatred' for Windows)

As opposed of your 'love' for Windoze and your 'hatred' of the Mac?

wink

Mac users believe they are invulnerable... They need to get over it...

What do you care? Are you a Mac user?

If your aren't, then we already know where this is coming from. The tired old honeymonster approach.

If you are, then maybe you should be writing to Apple about this or posting your concerns on their forums or at MacWorld's. I'm sure they'll appreciate it.

Would you leave your doors unlocked just because your has never been vandalized in the past?

Would you really care if I did?

When someone says '10% of the market is Mac and no attacks so it must be impossible' they are being ignorant... They need to bear in mind that 10% Mac means 90% 'something else' - which is more profitable and/or 'fun' for the hacker - 10% or 90%?

Yes, the same old FUD security by obscurity approach. Only now you're going to tell me there aren't millions to be made even by attacking that 10%

Let me tell you something. There's millions to be made off that 10%, only the script kiddies don't know how. Otherwise they would have done it by now. So give it a rest.

Question - since you obviously use a Mac and you likely don't use AV or any other security software how do you know you've not been hit?

How do I know I am. And as I said, I'm not a regular Mac user, although I do recommend that users download all the patches Apple releases.

Does not knowing the answer to that question help you sleep at night?

That doesn't matter to me. What does matter are the lies being spread here by Windoze shills who feel very threatened by Apple and Linux. That's a good thing. It means the 'insignificant' minority is having an impact. wink

- and that ignorance (a false sense of security - like believing any computer is 'hack proof') is a very dangerous thing.

Again, what do you care? Shame on me. If I don't secure my machine properly then that's my fault, not yours. Ok?
0 Votes
+ -
Keep freaking, Windows geeks...
comp_indiana 10th Jun 2009
It just illustrates how far Apple has come and how scared you are of it.
0 Votes
+ -
How is it spin?
Kaiwai 9th Jun 2009
I don't care about many vulnerabilities are
found as long as they are fixed quickly - this
goes for Microsoft and Apple. These security
problems cannot be avoided unless we suddenly
(and magically) started using safe languages
that avoids all these security problems. Until
that day occurs, we'll be stuck with security
problems and vendors racing to fix them up as
they arise.

Microsoft since Windows XP SP2 have been on the
ball and Apple have too with the employment of
a new security tsar. I don't know why you need
to fester up hate given that Microsoft wasn't
mentioned by anyone else except by you.
0 Votes
+ -
Why bet?
zkiwi 8th Jun 2009
It's not like your whining will somehow magically decrease the number of exploited windows systems.
0 Votes
+ -
RE: Apple Safari jumbo patch: 50 vulnerabilities fixed
M.R. Kennedy 8th Jun 2009
Does this mean that Safari 4.0 is now almost as secure as Internet Explorer 6?
0 Votes
+ -
Appreciate the clear approach this time, Ryan
Narr vi 8th Jun 2009
Thank you.

Regards,
Narr Vi
0 Votes
+ -
But, But the apple OS was touted as secure
The 'G-Man.' 9th Jun 2009
Oh fear!
0 Votes
+ -
True, true
Michael Alan Goff 11th Jun 2009
Now, allow me to explain how it might or might
not still be touted as that. (I really don't
know if it is, but this doesn't prove or
disprove anything.)

Look at the article title, and you will see
that it says "50 vulnerabilities patched".
Normally, people would say those words mean
that an OS is insecure/should be
destroyed/deserves bashing. Whatever floats
their boat.

However, and this is key, those are potential
exploits. And while it would be a good idea to
adopt a patch-as-they're-found policy, which
Apple seems to dislike, that doesn't mean that
they -will- be exploited. Now, if there is a
large number of exploits that are exploited, I
would see the argument. When something bad
actually happens, THEN we can say that it isn't
secure.

Aside from that, and just a note, I would
rather use Ubuntu. I don't have to spend
1000$/hack the OS/have a rich relative to use
that. Hell, I've never even used OSX to be
honest, I just know that "vulnerabilities" ate
only "possibilities", and in the end a smart
user won't be taken by them. "Security by using
your brain"
0 Votes
+ -
Agreed - almost 100%
kjpino 11th Jun 2009
I agree - and as I said in my previous post which someone chose to attack personally rather than debate the facts - security is first a personal issue in that you have to be aware and cautious... on that I aboslutely agree with you in your point that they are only potential exploits and the security by the brain is always a great idea...

I would only add that an exploit not having been exploited being used to call something 'safer' is a bit of a stretch... Just because no one ever robbed your house even though you leave your door unlocked does not make leaving your door unlocked safe...

It is a point of verbage but one I thought worth making...

But YES - you are right... The fact that they patch vulnerabilities is no reason to bash Mac - it's a good system... having to fix something doesn't make something bad... just means they are making it even better... nuttin' wrong with that at all...

Many people love their cars - even ones that have had recalls...
0 Votes
+ -
Clarification, please.
msalzberg Updated - 9th Jun 2009
Are these 50 vulnerabilities in the beta, and have been
fixed for today's release of Safari 4? I downloaded the final
version, and see no patches available for it.

If that's the case, you should have made it clear, and perhaps even
included a link to Apple's page about it.

Printing half a story is worse than printing none at all.
0 Votes
+ -
If the fixes are for Safari 4 specifically
use_what_works_4_U 9th Jun 2009
Then yes, it is the transition from a beta product to a full release version. You should expect huge differences in a case like this.

What I would like to know is whether any of these 50 vulnerabilities were still open, previously closed, or just closed for Safari 3?
0 Votes
+ -
As far as I can tell...
msalzberg 9th Jun 2009
these are specifically Safari 4 beta issues.
0 Votes
+ -
Link
honeymonster 9th Jun 2009
http://support.apple.com/kb/HT3613

As far as I can deduce this is a bulletin which describes the vulnerabilities fixed going from beta to release.
0 Votes
+ -
Thanks for the link.
msalzberg 9th Jun 2009
It would have been nice if the author had provided it.
0 Votes
+ -
Safari 3.2 bugs
Kaiwai 9th Jun 2009
I have a feeling that many of those security
issues also exist in Safari 3.2 as well. So far
Safari 4 has been incredibly stable so there is no
need to 'wait' for the fall out that normally
comes with new software
0 Votes
+ -
RE: Apple Safari jumbo patch: 50 vulnerabilities fixed
phatkat 9th Jun 2009
At least they fix those vulnerabilities.
All thing made by human beings are not perfect and there will be vulnerabilities to all operating systems whether it be known and yet to be discovered. It is most important to fix the vulnerabilities that could do the most damage to operating system and leave the operating system or software vulnerable to unauthorized personnel and those who can find and fix these vulnerabilities fastest is important.
However there are only so much time and resources you can devote to test the operating system or software before you need to release it for production so you will have some things not tested a people outside the company will find these vulnerabilities. Now the good person will report these vulnerabilities to the developer to allow them to patch it but the bad guys will exploit the vulnerabilities for maximum gain to harm as many people they want. It is important for the developer to patch crucial vulnerabilities ASAP to prevent damage to customer's systems and bad PR.
Comparing who operating system is more secure is no so simple as for what is vulnerabilities have been found or patched.
0 Votes
+ -
RE: Apple Safari jumbo patch: 50 vulnerabilities fixed
rparker009 10th Jun 2009
Wow for a "safer" os. they are having more patches than Ms
0 Votes
+ -
RE:RE: Apple Safari jumbo patch: 50 vulnerabilities fixed
EmperorDarius 11th Jun 2009
And yet it is still safer.
0 Votes
+ -
RE: Apple Safari jumbo patch: 50 vulnerabilities fixed
birumut Updated - 2nd May 2011
Great!!! thanks for sharing this information to us!
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix