Apple Goes Bug-Hunting in Safari 3.2

Apple Safari 3.2
Apple Safari 3.2
Click to enlarge

Apple is out with an update to its Safari web browser that aims to take the bite out of several vulnerabilities — as well as the potential for phishing attacks.

The Safari 3.2 update, available for both Windows and Mac versions of the browser, fixes at least 11 flaws, three of which are specific to its WebKit rendering engine. The flaws were found by a number of researchers including those from Apple itself as well as Google and even Microsoft.

The new update also adds an anti-phishing feature that’s intended to protect users from being lured into giving away their information on fraudulent sites.

One security flaw tackled in Safari 3.2 involves how the browser processes an XML document, through which an attacker could have potentially executed arbitrary code. According to Apple’s advisory, the vulnerability stems from a heap buffer overflow issue in the libxlst library .

The act of simply viewing a TIFF image could lead to a user being exploited through another hole closed in the update. Apple credits Robert Swiecki of the Google Security Team for reporting the problem, through which viewing a maliciously crafted TIFF image could have lead to an unexpected crash or arbitrary code execution.

WebKit, the core rendering engine used in Safari, also received some attention in the update. In one vulnerability it fixed, an attacker could have gained unauthorized access to a Safari user’s local files. The flaw is due to the fact that Safari’s WebKit plug-in structure does not block it from launching local addresses.

According to Apple’s advisory, “This update addresses the issue by restricting the types of URLs that may be launched via the plug-in interface.”

The company credited Billy Rios of Microsoft and Nitesh Dhanjani of Ernst & Young with first reporting the flaw.

Though technically not a fix, Safari 3.2 is addressing one shortcoming thanks the introduction of an anti-phishing filter. Vendors of rival browsers, including Mozilla and Microsoft, have had similar filters built into their products for some time.

Safari’s new Phishing Filter warns browsers when they are on a suspected fraudulent or “phishing” site.

The Safari 3.2 update is the first major update for Safari since the 3.1 release back in March of this year.

News Around the Web