Safari browser flaw: Session fixation attacks possible

Safari browser flaw: Session fixation attacks possible

Summary: Another day, another unpatched Safari browser vulnerability.According to this flaw warning found on the NVD (National Vulnerability Database), Apple's flagship browser is vulnerable to session fixation attacks because of the way it handles cookies in country-specific top-level domains.

SHARE:

Another day, another unpatched Safari browser vulnerability.

According to this flaw warning found on the NVD (National Vulnerability Database), Apple's flagship browser is vulnerable to session fixation attacks because of the way it handles cookies in country-specific top-level domains.

[ SEE: Microsoft issues Safari-to-IE blended threat warning ]

Heise Security breaks down the attack vector:

 Apple's Safari web browser, when handling cookies in multipart top level domains (TLDs), contains a vulnerability that potentially allows attackers to access the web services used by the victim. Safari handles multipart TLDs like .co.uk or .com.au differently from normal TLDs like .de or .com. According to a report, this allows attackers to inject the browser with a cookie which Safari will subsequently use for log-in authentication at other servers in the same TLD.

Alex "Kuza55," a hacker who appeared at Microsoft's Blue Hat summit, is credited with discovering this Safari vulnerability. It carries a CVSS Base Score of 6.8.

Topics: Security, Apple, Browser, Operating Systems

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

14 comments
Log in or register to join the discussion
  • Oh, but "Apple engineers designed Safari to be secure from day one."

    Day One of 2015 maybe...
    PB_z
  • Ryan, change the title, you'll get more hits

    The title should read: [i]IE browser flaw: Session fixation attacks possible[/i]. Then you'd get 300 talkbacks explaining why we should all switch to Apple. :)
    NonZealot
    • Thats awesome

      I think that is a great line, it shows the arrogance and ignorance of some of the know it all's on here and is so true. "Safari, Secure from Day One". Atleast Microsoft is not a political marketing machine, they actually fix issues and have a real security response team.
      OhTheHumanity
      • That was VERY funny!

        "At least Microsoft is not a political marketing machine, they
        actually fix issues and have a real security response team."

        Absolutely priceless - I almost wet myself laughing!

        You could make a career out of humour like that.
        rahbm
  • Never a big believer in throwing stones..

    ...and glass houses.. and all of that...
    croberts
  • Apple's greatest flaw...

    ..is that they actually believe they are flawless...

    The only thing protecting OSX from the onslaught of viruses and malware is its 2% global market share.
    eMJayy
    • Exactly right

      Rip IE out of Windows. Disable Email. Turn off IIS. Remove FLASH. Remove Java. You'll have a secure system.

      Apple is no different.

      The problem is the complex "Web 2.0" rich media experience we keep being told we need, and then we wonder why there are browser exploits or malware producing websites....
      croberts
  • More ambulance chasing...

    ZDNet is becoming more and more like the evening news.

    They focus on the trivia - how many car crashes, how many fires, but of little value to the public. Now many bugs fixed, DNS poisoning, ad nauseum.

    We each can read the patch release notes if we wish. We do not need someone to summarize them, especially when they have an agenda. It's like someone reading the publicly available Police Blotter pretending to give the news. Sure is easier than doing real research into important topics of the day and reporting intelligently on them.
    The Rationalist
    • True, but ...

      at least it gives NonZealot an opportunity to flaunt his
      relentless AABM (anti anything but MS) zealotry!
      rahbm
  • RE: Safari browser flaw: Session fixation attacks possible

    Apple Mac market share is near 8% now, for those who like facts
    and to whom they matter.
    Chiatzu
    • More like 3.5%

      Guess what - USA <> the world.

      http://community.winsupersite.com/blogs/paul/archive/2008/07/21/mac-worldwide-market-share-hits-3-5-percent-in-q2-2008.aspx
      Surur
  • RE: Safari browser flaw: Session fixation attacks possible

    I find the Safari browser really fast.It respond faster than Firefox or IE.People we spend so much time worried about security and downloading patchs and updates.When is there time to just simply enjoy our computers?We spend hours doing different scans each and everyday.Well maybe not hours.But you get my meaning?I guess this the way of the internet.I been online for several years and there's always something.But need to be reminded that most of these programs are free.
    tgardley
  • RE: Safari browser flaw: Session fixation attacks possible

    Well Zdnet is the Computer evening news,lol
    tgardley
  • RE: Safari browser flaw: Session fixation attacks possible

    I really dont care about the market share.I just want to get on my computer and enjoy what i paid my money for.I dont have to pay for the browsers.They'll never make a perfect browser.Somebody always figuring out ways to hack it or mess it up.No matter what browser we use,there'll always be problems.And it slows the browser response time each and everytime they patch it.
    tgardley