We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,059 News Articles

Safari flaw leaves PCs open to hackers

PCs could be compromised with 'drive-by' attacks

A flaw in Apple's Safari browser could allow attackers to infect Windows PCs with malicious code.

Researchers at US-CERT and other security firms that identified the bug, also said hackers could compromise PCs with simple 'drive-by' attack tactics.

The vulnerability, first reported by Danish vulnerability tracker Secunia and confirmed by the United States Computer Emergency Readiness Team (US-CERT), was disclosed by Polish researcher Krystian Kloskowski last week.

The bug is caused by an error in the handling of the browser's parent windows.

"This can be exploited to execute arbitrary code when a user visits a specially-crafted web page and closes opened pop-up windows," said Secunia's alert.

The vulnerability can also be exploited by attackers who dupe users into opening rigged HTML-based email within Safari, added US-CERT in its advisory.

That scenario likely would involve tricking users into opening malicious messages in a webmail service, such as Gmail or Windows Live Hotmail.

Both Secunia and US-CERT confirmed that the proof-of-concept attack code published by Kloskowski successfully compromises the Windows version of Safari 4.0.5, the most up-to-date edition.

Secunia rated the vulnerability as 'highly critical', the second-most-dangerous ranking in its five-step threat scoring system.

It's not known whether the vulnerability also exists in the much more widely used Mac OS X version of Apple's software. "Other versions may also be affected," cautioned US-CERT.

Charlie Miller, the noted vulnerability researcher who won $10,000 by hacking a Mac in March at the Pwn2Own contest, was out of his office and not able to verify that the bug also exists in Safari on Mac OS X.

US-CERT urged users of the Windows version of Safari to disable JavaScript as a temporary defence.

Apple last patched Safari in mid-March when it fixed 16 flaws, including six that applied only to the Windows version of the browser.

It's not unusual for Apple to patch Windows-only vulnerabilities when it updates Safari.

Apple patched Miller's $10,000 vulnerability in mid-April by plugging a hole in ATS (Apple Type Services), a font renderer included with Mac OS X.

Miller accessed the ATS bug via Safari during Pwn2Own.

See also: Two Windows & Office patches coming next week

IDG UK Sites

45 Best Android games: top Android games for your smartphone or tablet in 2014 (24 are free!)

IDG UK Sites

How Apple, Adobe, Microsoft and others have let us down over UltraHD and hiDPI screens

IDG UK Sites

Miranda July's Somebody app offers a very unusual take on messaging

IDG UK Sites

iPad Pro release date, rumours and leaked images - 12.9 screen 'coming in 2015'