Apple’s Safari And Google’s Chrome Browsers Get Security Updates
Apple has released Safari 3.2 to fix at least a dozen security flaws, some of them are very serious. The update, available for Windows XP, Windows Vista and Mac OS X (Tiger and Leopard), address vulnerabilities that could be exploited to take full control of a compromised machine.
Some of the more serious flaws:
CVE-2008-1767: A heap buffer overflow issue exists in the libxslt library. Viewing a maliciously crafted HTML page may lead to an unexpected application termination or arbitrary code execution. Further information on the patch applied is available via
http://xmlsoft.org/XSLT/.
CVE-2008-3623: A heap buffer overflow exists in CoreGraphics’ handling of color spaces. Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution.
CVE-2008-2327: Multiple uninitialized memory access issues exist in libTIFF’s handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
CVE-2008-2332: A memory corruption issue exits in ImageIO’s handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
CVE-2008-3642: A buffer overflow exists in the handling of images with an embedded ICC profile. Opening a maliciously crafted image with an embedded ICC profile may lead to an unexpected application termination or arbitrary code execution.
Three of the 12 issues were found and fixed in WebKit, the open-source Web browser engine. Safari 3.2 should be treated as an “highly critical” update. End users should apply this patch immediately.
Google has also released a new version of its Chrome browser with fixes for a pair of security issues that could expose users to data theft. The issue, rated as a “moderate” could allow hackers to use HTML files to steal arbitrary files from a victim’s machine:
r4188 and r4827 address an issue with downloaded HTML files being able to read other files on your computer and send them to sites on the Internet. We now prevent local files from connecting to the network using XMLHttpRequest() and also prompt you to confirm a download if it is an HTML file.
Severity: Moderate. If a user could be enticed to open a downloaded HTML file, this flaw could be exploited to send arbitrary files to an attacker.
The patch, which will eventually be rolled out via Chrome’s automatic update feature, also adds new features around bookmarking and pop-up blocking.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.