Monday, May 10, 2010

Apple Safari 0-day flaw found

Multiple reports on this today.  The only Windows users who I've seen with Safari were those unfortunates who got tricked into installing it by the Apple iTunes or QuickTime updating software.  You're best off IMHO uninstalling Safari completely and using either Firefox or ChromePlus.  Additional info can be found at links in the following articles:

Critical zero-day flaw found in Apple's Safari browser - SC Magazine US
A “highly critical” zero-day vulnerability has been discovered in Apple's Safari web browser, according to Danish vulnerability tracking firm Secunia.

The code execution vulnerability, revealed Friday, affects the current version (4.0.5) of Safari for Windows and could allow an attacker to compromise a user's system. Other versions of the browser could also be affected.
Unpatched drive-by download flaw in Apple Safari browser | ZDNet
A zero-day vulnerability in Apple’s Safari browser could expose millions of Windows users to drive-by download malware attacks. The flaw is currently unpatched.

According to an alert from Secunia, the issue is rated “highly critical” because of the risk of remote code execution attacks that can lead to complete system takeover.
US-CERT Current Activity: Apple Safari Vulnerability
added May 10, 2010 at 10:57 am

US-CERT is aware of a vulnerability affecting Apple Safari. By convincing a user to open a specially crafted web page, an attacker may be able to execute arbitrary code. Exploit code for this vulnerability is publicly available.

US-CERT encourages users and administrators to disable JavaScript as detailed in the Securing Your Web Browser document until a fix is provided by the vendor. Additional information regarding this vulnerability can be found in the Vulnerability Notes Database.

US-CERT will provide additional information as it becomes available.

No comments: