Apple Safari Domain Extensions Insecure Cookie Access Vulnerability
According to National Vulnerability Database, Apple’s Safari browser is vulnerable to session fixation attacks because of the way it handles cookies in country-specific top-level domains. A hacker who appeared at Microsoft’s Blue Hat summit, is credited with discovering this Safari vulnerability. Safari 3.1.2 is vulnerable; other versions may also be affected.
Apple Safari allows web sites to set cookies for country-specific top-level domains, such as co.uk and com.au, which could allow remote attackers to perform a session fixation attack and hijack a user’s HTTP session, aka “Cross-Site Cooking”. The flaw allows unauthorized disclosure of information, unauthorized modification of content, disruption of service. To exploit this issue, an attacker must entice an unsuspecting user to open a malicious document.
Currently there are no vendor-supplied patches. As a permanent solution, do not browse untrusted web sites or follow untrusted links.
More on CyberInsecure:
August 12th, 2008 at 4:02 am
Yes this was the initial problem with the safari for windows but now all the bugs have been fixed and the browser is totally safe to use.
November 25th, 2008 at 2:23 pm
Then why is google get thru, on Mac, the security preference of “Never”??