Researcher Reveals Critical Flaw in Safari Web Browser

A zero-day flaw has recently been discovered in the latest version of Apple's Safari browser. The flaw is considered to be "highly critical," the second-highest rating in the five-step threat-assessment system. It also has the potential to infect Windows PCs with malicious code.

In actuality, the bug is the result of an error in the handling of the browser's parent windows. It can result in a "function call using an invalid pointer".

Different Flaw, Same Tactics

Malware peddlers might also attempt to exploit the vulnerability by creating a malicious site and coaxing users into coming to the site (not an uncommon approach by any means). Once at the site, the user unknowingly downloads malicious code onto their computer by closing pop-up windows.

Attackers could also fool users into opening rigged HTML-based emails within Safari. (Source: itpro.co.uk)

The flaw was first discovered by a Polish security researcher, Krystian Kloskowski, and the information was then passed on by the Danish vulnerability tracking service Secunia. The US Computer Emergency Readiness Team (US-CERT) then confirmed the flaw in version 4.0.5 of Safari for Windows. There has been no confirmation that would suggest that the latest Mac version is vulnerable, though this is highly probable. (Source: net.au)

Apple has not issued any response to these reports, but a patch is expected to come forth in the near future.

Disable Javascript, Reduce Threat

In in the interim (from now until a patch has been issued) US-CERT is advising everyone to disable their Javascript on affected versions of the browser. This will decrease threat levels and can be done in Safari's 'Preferences' menu.

The fortunate thing about the entire ordeal is that Kloskowski sent out a 'proof-of-concept build'. This means that there are no reports of any actual attempts to exploit the vulnerability, but given enough time, attackers would likely pounce on the flaw sooner than later.