Re: US-CERT Confirms New Vulnerability in Safari for Windows

On May 12, 12:00 am, Rupert Bear <rup...@xxxxxxxxxxxxx> wrote:
 From The Mac Observer:

http://tinyurl.com/2dgql5t

Curse and discuss.

US-CERT Confirms New Vulnerability in Safari for Windows

May 11th, 2010 at 8:50 PM News by Bryan Chaffin

A new vulnerability in Safari for Windows has been confirmed by the U.S.
Computer Emergency Readiness Team (US-CERT). The team said it had
confirmed the exploit for the Windows version of Safari 4.0.5, but that
“other versions may also be affected.”

The exploit makes it possible for the bad guys to take over your PC when
the victim pulls up a maliciously crafted HTML document. The research
advisory issued said, “By convincing a victim to view an HTML document
(web page, HTML e-mail, or e-mail attachment) with Apple Safari, an
attacker could run arbitrary code with the privileges of the user
running the application.”

At issue is a problem with how Safari handles references to Window
objects, according to US-CERT. The short version is that Safari can
allow a window within the app to be closed while allowing references to
that window to persist. Javascript code can then be used to exploit this
reference in such a way that allows the bad guys to control your computer..

Apple has not yet released a patch for the hole, but US-CERT said that
disabling Javascript could mitigate the exploit. The advisory also
emphasized that users not follow unsolicited links (say in spam e-mail),
but that a trusted site that had been compromised could still include a
hacked Web page that leads to an attack.

US-CERT attributed Krystian Kloskowski for disclosing the vulnerability.

I told you iTunes was malware!!!
.

Relevant Pages