Apple Fixes AutoFill Flaw in Massive Safari Update

LAS VEGAS--Apple has released a major update to its Safari browser that includes a number of security fixes, most importantly a patch for the AutoFill vulnerability disclosed recently.

Safari 5.0, which was released Wednesday by Apple, gives users protection against several flaws, including the AutoFill weakness, identified by researcher Jeremiah Grossman, which enabled attackers to pull a treasure trove of personal information about users from the browser. Grossman began speaking publicly about the AutoFill flaw last week and will give a presentation on it at the Black Hat conference here this week.

“Right at the moment a Safari user visits a website, even if they’ve never been there before or entered any personal information, a malicious website can uncover their first name, last name, work place, city, state, and email address,” Grossman explained  in a blog post.

From the Apple advisory:

Safari's AutoFill feature can automatically fill out web forms using designated information in your Mac OS X Address Book, Outlook, or Windows Address Book.  By design, user action is required for AutoFill to operate within a web form. An implementation issue exists that allows a maliciously crafted website to trigger AutoFill without user interaction. This can result in the disclosure of information contained within the user's Address Book Card. To trigger the issue, the following two situations are required. First, in Safari Preferences, under AutoFill, the "Autofill web forms using info from my Address Book card" checkbox must be selected. Second, the user's Address Book must have a Card designated as "My Card". Only the information in that specific card is accessed via AutoFill. This issue is addressed by prohibiting AutoFill from using information without user action.

The new version of Safari also fixes 14 vulnerabilities in Webkit, the open source layout engine that Safari uses.

Commenting on this Article is closed.