Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
“It's a huge update," Peter James, spokesman at Mac security vendor Intego, told SCMagazineUS.com. "It covers a lot of things. It makes you wonder why some of them weren't fixed earlier."The vulnerabilities are present in components such as CFNetwork, CoreGraphics, ImageIO, International Components for Unicode, libxml, Safari, Safari Windows Installer, and WebKit, according to Apple's security notes for Safari 4.0. Many of the vulnerabilities affect Safari on both Windows and Mac operating systems.Graham Cluley, senior technology consultant at security vendor Sophos, told SCMagazineUS.com in an email that in terms of the number of fixes, this is one of the biggest security updates seen in some time from Apple. He added that the vulnerabilities are varied in their impact and some are “extremely critical.” “For instance, some flaws, if left unpatched, would allow hackers to craft malicious graphic files that when viewed in the browser would allow dangerous code to be executed on the surfer's computer,” Cluley said. In addition, if exploited, some of the vulnerabilities could enable an attacker to bypass security restrictions or conduct cross-site scripting attacks.More than half of the vulnerabilities fixed in the Safari update were present in WebKit, an open-source application framework that Safari uses. According to Apple, one of the vulnerabilities fixed in WebKit, affecting both Windows and Mac Safari users, could have allowed “clickjacking” attacks -- a trick that lures a user into clicking a malicious, invisible button, thinking they are clicking on something else. Using this technique, an attacker may be able to manipulate a user into carrying out unintended actions, like making a purchase, Apple said. Cluley said that some of the vulnerabilities fixed with this update are more than three years old. A cross-site scripting flaw in WebKit (CVE-2006-2783) was first reported and patched in Firefox in 2006, he said. In addition, a memory access issue in WebKit (CVE-2008-4231) was originally found last year in the iPhone version of Safari, but was now revealed to be an issue for Windows and Mac Safari users too, he added.Intego's James agreed: “It can be a little bit surprising that they didn't address any of these issues earlier," he said. "These aren't things that popped up within a few weeks.”Security firm Secunia rated the vulnerabilities “highly critical,” or a four out of five on its severity rating scale. US-CERT also encouraged users to upgrade to Safari 4.0 to mitigate the risks of these vulnerabilities.See original article on scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.