This afternoon Apple unveiled Safari 4.0.2 and it’s traditional cryptic release notes. While Apple is mum about details, a subsequently posted Security Update detailed two major security holes which have been closed with 4.0.2. The first involves malicious cross-site scripting attacks and the second involves visiting malicious websites which unexpectedly quits applications or runs code. The details of each attack are listed after the break.
CVE-ID: CVE-2009-1724
Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack
Description: An issue in WebKit’s handling of the parent and top objects may result in a cross-site scripting attack when visiting a maliciously crafted website. This update addresses the issue through improved handling of parent and top objects.
CVE-ID: CVE-2009-1725
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit’s handling of numeric character references. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of numeric character references. Credit to Chris Evans for reporting this issue.
Related Posts
Categories: The Feed
