Apple’s Safari And Google’s Chrome Browsers Get Security Updates

November 15th, 2008

Apple’s Safari And Google’s Chrome Browsers Get Security Updates

Apple has released Safari 3.2 to fix at least a dozen security flaws, some of them are very serious. The update, available for Windows XP, Windows Vista and Mac OS X (Tiger and Leopard), address vulnerabilities that could be exploited to take full control of a compromised machine.

Some of the more serious flaws:

CVE-2008-1767: A heap buffer overflow issue exists in the libxslt library. Viewing a maliciously crafted HTML page may lead to an unexpected application termination or arbitrary code execution. Further information on the patch applied is available via

http://xmlsoft.org/XSLT/.

CVE-2008-3623: A heap buffer overflow exists in CoreGraphics’ handling of color spaces. Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution.

CVE-2008-2327: Multiple uninitialized memory access issues exist in libTIFF’s handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.

CVE-2008-2332: A memory corruption issue exits in ImageIO’s handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.

CVE-2008-3642: A buffer overflow exists in the handling of images with an embedded ICC profile. Opening a maliciously crafted image with an embedded ICC profile may lead to an unexpected application termination or arbitrary code execution.

Three of the 12 issues were found and fixed in WebKit, the open-source Web browser engine. Safari 3.2 should be treated as an “highly critical” update. End users should apply this patch immediately.

Google has also released a new version of its Chrome browser with fixes for a pair of security issues that could expose users to data theft. The issue, rated as a “moderate” could allow hackers to use HTML files to steal arbitrary files from a victim’s machine:

r4188 and r4827 address an issue with downloaded HTML files being able to read other files on your computer and send them to sites on the Internet. We now prevent local files from connecting to the network using XMLHttpRequest() and also prompt you to confirm a download if it is an HTML file.
Severity: Moderate. If a user could be enticed to open a downloaded HTML file, this flaw could be exploited to send arbitrary files to an attacker.

The patch, which will eventually be rolled out via Chrome’s automatic update feature, also adds new features around bookmarking and pop-up blocking.

Share this item with others:

More on CyberInsecure:

Address Spoofing Flaw Allows Google’s Chrome Websites Impersonation

Browser Vulnerabilities Expose Users To Man-in-the-middle Attacks On HTTPS

Apple Patches Multiple Vulnerabilities In Safari 3.1.1

Carpet-bombing Vulnerability In Google Chrome New Browser

Mac users are advised not to use Safari by Consumer Reports

Posted in Apple, Google, Software, Vista, Vulnerabilities |

Print This Post

This entry was posted on Saturday, November 15th, 2008 at 9:12 am and is filed under Apple, Google, Software, Vista, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.