Apple Plugs Safari Drive-by Download Security Holes

Apple has shipped Safari 5.0.2 and Safari 4.1.2 with patches for three gaping holes that expose Web surfers to drive-by download attacks.

Apple has shipped Safari 5.0.2 and Safari 4.1.2 with patches for three gaping holes that expose Web surfers to drive-by download attacks.

The browse-and-you’re-hacked vulnerabilities affect both Windows and Mac users, Apple warned in an advisory. One of the three vulnerabilities is the DLL load hijacking issue that haunts hundreds of Windows applications.

Two of the three vulnerabilities affect WebKit, the open-source rendering engine that powers Apple’s Safari and iTunes software products.

Here are the details:

 

  • CVE-2010-1805 (Windows 7, Vista, XP SP2 or later) – A search path issue exists in Safari. When displaying the location of a downloaded file, Safari launches Windows Explorer without specifying a full path to the executable. Launching Safari by opening a file in a specific directory will include that directory in the search path. Attempting to reveal the location of a downloaded file may execute an application contained in that directory, which may lead to arbitrary code execution. This is the DLL load hijacking attack vector.
  • CVE-2010-1807 (Mac and Windows) – An input validation issue exists in WebKit’s handling of floating point data types. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2010-1806 (Mac and Windows) – A use after free issue exists in WebKit’s handling of elements with run-in styling. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

 

Safari 5.0.2 is available for Mac OS X v10.5, Mac OS X v10.6, and Windows systems. Safari 4.1.2 is only provided for Mac OS X v10.4 systems.

Suggested articles