Apple plugs code execution, phishing holes in Safari browser

Apple has released Safari 4.0.3 to fix at least six security vulnerabilities that put Mac and Windows users at risk of hacker attacks.

The update is considered highly-critical and should be immediately applied on both Windows and Mac systems because of the risk of information disclosure, phishing and remote code execution attacks.

The change affecting IDNs is stated as:

CVE-ID: CVE-2009-2199
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows XP and Vista
Impact: Look-alike characters in a URL could be used to masquerade a website
Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious website to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by supplementing WebKit’s list of known look-alike characters. Look-alike characters are rendered in Punycode in the address bar. Credit to Chris Weber of Casaba Security, LLC for reporting this issue.

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google

Leave a Reply

You must be logged in to post a comment.