madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Unpatched drive-by download flaw in Apple Safari browser

By | May 10, 2010, 8:07am PDT

Summary: The issue is rated “highly critical” because of the risk of remote code execution attacks against Windows users.

A zero-day vulnerability in Apple’s Safari browser could expose millions of Windows users to drive-by download malware attacks.  The flaw is currently unpatched.

According to an alert from Secunia, the issue is rated “highly critical” because of the risk of remote code execution attacks that can lead to complete system takeover.

From the advisory:follow Ryan Naraine on twitter

The vulnerability is caused due to an error in the handling of parent windows and can result in a function call using an invalid pointer. This can be exploited to execute arbitrary code when a user e.g. visits a specially crafted web page and closes opened pop-up windows.

The vulnerability is confirmed in Safari version 4.0.5 for Windows. Other versions may also be affected, the company warned.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Apple Safari, Flaw, Vulnerability, Apple Inc., Web Browser, Security, Spyware, Adware & Malware, Cyberthreats, Microsoft Windows, Operating Systems, Software, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 13 Talkback(s)

  • If any mods are reading this..
    Dear ZDNet please fix your website I can't subscribe to any stories for reply notification, can't see how many people have reccomended an article unless I do so as well, get multiple boxes to type my message in when I try to reply, the page freezes when I try to edit my post, and I can't even vote "No" on any of the polls (nor see the results)! What is this crap? Please put it back to the old version that had none of these problems (which exist in the new version on all browsers!)..
    ZDNet Gravatar
    AzuMao
    10th May 2010
  • Spot on
    I agree with AzuMao.

    Also list users reporting people as spam trying to kill tread discussions (MSCEs you know who you are).
    ZDNet Gravatar
    Richard Flude
    10th May 2010
  • add "WINDOWS ONLY" to that subject
    so people dont waste time thinking this is a non windows issue..........
    ZDNet Gravatar
    bspurloc
    10th May 2010
  • It is an Apple issue
    End of story. Apple is to blame here.
    ZDNet Gravatar
    NonZealot
    10th May 2010
  • Really? You should let Apple know.
    @bspurloc

    Other versions may also be affected, the company warned.
    ZDNet Gravatar
    KTLA
    10th May 2010
  • Other versions
    @KTLA

    Read into it. I believe they mean previous versions.

    Btw, who uses Safari on Windows?
    ZDNet Gravatar
    nix_hed
    10th May 2010
    • Flagged
  • RE: Unpatched drive-by download flaw in Apple Safari browser
    So that leaves us with which browser that is still safe ? Chrome ?
    ZDNet Gravatar
    TxM2xTx
    10th May 2010
  • RE: RE: Interesting article about an Apple flaw
    But the changes to ZDNet layout appear to be important too and there is nowhere to voice opinions about the changes.
    As interesting s the Apple flaw is it affect a minority of blog readers.
    The new page layout on the hand is seen by all and it would appear to be less than a success.
    1. Opera 10.53 renders the page correctly but takes a long time. Also it crashes occasionally (when scrolling) with many CSS errors logged and a Java errors (advert related)
    2. Firefox fails to render the page accurately, buttons missing, overlapping print, advert are very jerky. Reloading the page causes the faulty artifacts to change to different location or page to freeze. Error Console logs many CSS page errors and Java errors.
    ZDNet Gravatar
    Agnostic_OS
    10th May 2010
  • RE: for the windows users who don't play well with others....
    don't hate the apple users, it's non productive. We are here, we also can read, and even if we are 'minority' readers, there are certainly enough of us to warrant publishing content that is useful to us.

    I'm sure there are plenty of blogs, groups, subscriptions etc out there that are windows only.

    Finally, as my mother in law used to say, if you don't like it, throw a rock at it.
    By the way, I don't have a problem with the new layout at all. Using safari on a macbook pro. Interesting.
    ZDNet Gravatar
    Nunya Bizniss
    10th May 2010
  • RE: Unpatched drive-by download flaw in Apple Safari browser
    Seems the smoke and mirrors are cracking. Welcome to "I'm a PC."
    ZDNet Gravatar
    trust2112@...
    10th May 2010
  • RE: Unpatched drive-by download flaw in Apple Safari browser
    lots of us windows users use safari, its a good browser choice
    ZDNet Gravatar
    crazydave789
    12th May 2010
  • RE: Unpatched drive-by download flaw in Apple Safari browser
    Wow....deja vu...Safari Drive by Download attack on windows.

    And for the record, this is not a Windows issue, it is an apple Safari issue. Blaming this on Microsoft is just like the people who blamed linux for the vodafone/mariposa thing. It's just not true. Apple wrote the bad code here, it's their goof....again.
    ZDNet Gravatar
    TheLightcosine
    19th May 2010
  • RE: Unpatched drive-by download flaw in Apple Safari browser
    Great!! ! thanks for sharing this information to us!
    sesli sohbet sesli chat
    ZDNet Gravatar
    efsane
    9th Apr

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
Click Here