Establishing Digital Trust: Don't Sacrifice Security for Convenience
Apple has released a security update for its Safari Web browser, fixing flaws for both Mac and Windows users. But a large number of the vulnerabilities it addresses are housed in the browser's WebKit rendering engine, which is also in use by rivals, including Google's Chrome.
Safari 4.0.5 addresses 16 flaws in total, six of which are specific just to Windows users.
Overall, however, the bulk of the fixes are for Safari's WebKit rendering engine, with nine fixes targeting a variety of security vulnerabilities in the technology. The vulnerabilities could have led to Safari crashing, running arbitrary code or possibly disclosing user information, Apple (NASDAQ: AAPL) said.
Three of the WebKit issues were disclosed to Apple with the help of Tipping Point's Zero Day Initiative (ZDI), which is a major sponsor of the annual pwn2own hacking competition where security researchers have frequently targeted Apple. Pwn2own 2010 is set to run later this month.
All three of the ZDI vulnerabilities stem from how WebKit deals with an object or function after the object has already been used, otherwise known as a "use-after-free" vulnerability.
According to Apple's advisory, one of the flaws, identified as CVE-2010-0047, is a use-after-free flaw in how an HTML object element handles fallback content. The issue could lead to arbitrary code execution. A second vulnerability, CVE-2010-0050, is related to a similar use-after-free condition in which the flaw is due to incorrectly nested HTML tags. Apple describes a third flaw, CVE-2010-0053, as a use-after-free error derived from how a CSS display property renders content.
In addition to Safari, WebKit is also used as the browser rendering engine by Google's Chrome. As of press time, Google has not released a public update for the stable-channel version of Chrome that incorporates the WebKit fixes.
The last time Apple updated Safari for WebKit-related issues, Chrome followed with a stable-version update of its own within 24 hours.
Windows vulnerabilities and more
Google's security researchers themselves reported at least one of the issues -- CVE-2010-0046 -- that Apple fixed in the Safari 4.0.5 update.
"A memory corruption issue exists in WebKit's handling of CSS format() arguments," Apple said in its advisory on the issue. "This issue is addressed through improved handling of CSS format() arguments."
While all of the WebKit vulnerabilities affect both Windows and Mac users of Safari, there are also six flaws that only affect Windows.
CVE-2009-2285, CVE-2010-0041, CVE-2010-0042, and CVE-2010-0043 all deal with different Windows-specific issues related to ImageIO, which handles images in Safari. Simply viewing a malicious TIFF or BMP image could potentially have triggered a crash or arbitrary code execution in Safari, according to Apple.Additionally, the update also addresses CVE-2010-0040, which fixes another graphics-related security issue -- in this case, involving ColorSync. The flaw could have enabled an attacker to cause unexpected application termination or arbitrary code execution if a user views a maliciously crafted image with an embedded color profile, Apple said.
Another Windows-specific Safari vulnerability -- CVE-2010-0045 -- was discovered by Microsoft Security Researcher Billy Rios.
"An issue in Safari's handling of external URL schemes may cause a local file to be opened in response to a URL encountered on a Web page," Apple said in its advisory. "This update addresses the issue through improved validation of external URLs. This issue does not affect Mac OS X systems."
The Safari 4.0.5 is the first update to Safari in 2010 and follows Safari's 4.0.4 update, which came out in November 2009.