LAS VEGAS–Apple has released a major update to its Safari browser that includes a number of security fixes, most importantly a patch for the AutoFill vulnerability disclosed recently.
Safari 5.0, which was released Wednesday by Apple, gives users protection against several flaws, including the AutoFill weakness, identified by researcher Jeremiah Grossman, which enabled attackers to pull a treasure trove of personal information about users from the browser. Grossman began speaking publicly about the AutoFill flaw last week and will give a presentation on it at the Black Hat conference here this week.
“Right at the moment a Safari user visits a website, even if they’ve
never been there before or entered any personal information, a malicious
website can uncover their first name, last name, work place, city,
state, and email address,” Grossman explained in a blog post.
From the Apple advisory:
Safari’s AutoFill feature can automatically fill out web forms using
designated information in your Mac OS X Address Book, Outlook, or
Windows Address Book. By design, user action is required for AutoFill
to operate within a web form. An implementation issue exists that allows
a maliciously crafted website to trigger AutoFill without user
interaction. This can result in the disclosure of information contained
within the user’s Address Book Card. To trigger the issue, the following
two situations are required. First, in Safari Preferences, under
AutoFill, the “Autofill web forms using info from my Address Book card”
checkbox must be selected. Second, the user’s Address Book must have a
Card designated as “My Card”. Only the information in that specific card
is accessed via AutoFill. This issue is addressed by prohibiting
AutoFill from using information without user action.
The new version of Safari also fixes 14 vulnerabilities in Webkit, the open source layout engine that Safari uses.