We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Safari flaw leaves PCs open to hackers

PCs could be compromised with 'drive-by' attacks

A flaw in Apple's Safari browser could allow attackers to infect Windows PCs with malicious code.

Researchers at US-CERT and other security firms that identified the bug, also said hackers could compromise PCs with simple 'drive-by' attack tactics.

The vulnerability, first reported by Danish vulnerability tracker Secunia and confirmed by the United States Computer Emergency Readiness Team (US-CERT), was disclosed by Polish researcher Krystian Kloskowski last week.

The bug is caused by an error in the handling of the browser's parent windows.

"This can be exploited to execute arbitrary code when a user visits a specially-crafted web page and closes opened pop-up windows," said Secunia's alert.

The vulnerability can also be exploited by attackers who dupe users into opening rigged HTML-based email within Safari, added US-CERT in its advisory.

That scenario likely would involve tricking users into opening malicious messages in a webmail service, such as Gmail or Windows Live Hotmail.

Both Secunia and US-CERT confirmed that the proof-of-concept attack code published by Kloskowski successfully compromises the Windows version of Safari 4.0.5, the most up-to-date edition.

Secunia rated the vulnerability as 'highly critical', the second-most-dangerous ranking in its five-step threat scoring system.

It's not known whether the vulnerability also exists in the much more widely used Mac OS X version of Apple's software. "Other versions may also be affected," cautioned US-CERT.

Charlie Miller, the noted vulnerability researcher who won $10,000 by hacking a Mac in March at the Pwn2Own contest, was out of his office and not able to verify that the bug also exists in Safari on Mac OS X.

US-CERT urged users of the Windows version of Safari to disable JavaScript as a temporary defence.

Apple last patched Safari in mid-March when it fixed 16 flaws, including six that applied only to the Windows version of the browser.

It's not unusual for Apple to patch Windows-only vulnerabilities when it updates Safari.

Apple patched Miller's $10,000 vulnerability in mid-April by plugging a hole in ATS (Apple Type Services), a font renderer included with Mac OS X.

Miller accessed the ATS bug via Safari during Pwn2Own.

See also: Two Windows & Office patches coming next week


IDG UK Sites

Best Black Friday 2014 tech deals: Get bargains on smartphones, tablets, laptops and more

IDG UK Sites

What the Internet of Things will look like in 2015: homes will get smarter, people might get fitter

IDG UK Sites

See how Trunk's animated ad helped Ade Edmondson plug The Car Buying Service

IDG UK Sites

Yosemite tips for beginners: Complete Guide to OS X Yosemite