Highly critical Safari vulnerability published

Secunia last week published a new vulnerability affecting Apple’s desktop Safari browser. The new exploit can be used by malicious users to execute arbitrary code on the system and is deemed to be “highly critical”. 

The security research company found the exploit to grant system level access when a user "visits a specially crafted web page and closes opened pop-up windows”. Affected versions include Safari 4.0.5 for Windows, though other versions and operating systems might also be affected. 

The vulnerability is caused due to an error in the handling of parent windows and can result in a function call using an invalid pointer. This can be exploited to execute arbitrary code when a user e.g. visits a specially crafted web page and closes opened pop-up windows.

Secunia credits Krystian Kloskowski with the discovery and advises users to refrain from visiting untrusted web sites or links until Apple provides an update.

Apple’s Safari internet browser is available for both Mac and PC. Safari 4 added many new features including Top Sites, Cover Flow, Full History Search, a new javascript ‘Nitro’ engine, new developer tools, and a brand new interface for Windows users. 

Report a problem with article
Previous Story

Twitter fixes flaw that allowed users to force anyone to follow them

Next Story

Little Big Planet 2 offers more creative fun this winter

56 Comments

View more comments

soldier1st said,
how long till apple fixes it.... oh i forgot they will blame something else for there mistakes then after awhile they will silently fix the issue but for a cost i would imagine.

Apple has blamed others for their mistakes....thats no secret. However, they never charged for bug fixes as far as I am aware of.

SputnikGamer said,
Apple has never charged for security updates.
That's not quite true either. Apple effectively does charge for security updates by terminating software support very quickly.


- Didn't see the point in buying Leopard and stayed with Tiger? No security updates. This actually begs a different question about what happened to people running Tiger using a PowerPC chip (non-Intel, and thus not eligible for Snow Leopard) people. I don't even know where to buy plain Leopard.
- Didn't feel like upgrading from iPhone OS 2 to iPhone OS 3 (on your iPod touch) for a $10 fee. No security updates. The same happened with iPhone OS 1 to iPhone OS 2, and will happen for iPhone OS 4.


Now, I say this as a Mac and PC owner with a first generation iPod touch, iPhone 3GS and Zune HD. I like their hardware, but I am not drinking their software Koolaid.

@pickypg
Tiger still received security updates after Leopard was released. Leopard still receives security updates now Snow Leopard has been released...

Timan said,

Yep, any bit of anti-apple news to feed the trolls

I find it curious that when Microsoft vulnerabilities are made public, it seems to be ok to bash Microsoft. Yet when Apple vulnerabilities are announced, anybody who bashes Apple is labelled a "troll".

Yep, very curious indeed.

TCLN Ryster said,

I find it curious that when Microsoft vulnerabilities are made public, it seems to be ok to bash Microsoft. Yet when Apple vulnerabilities are announced, anybody who bashes Apple is labelled a "troll".

Yep, very curious indeed.

Read the definition of a Troll. If all you are doing is bitching/moaning....spewing insults...trying to cause issues...then you are a troll. If you bring substance and offer good info to a post...then you are not a troll.

TCLN Ryster said,

I find it curious that when Microsoft vulnerabilities are made public, it seems to be ok to bash Microsoft. Yet when Apple vulnerabilities are announced, anybody who bashes Apple is labelled a "troll".

Yep, very curious indeed.

When was the last time someone trolled a microsoft security update, i think the tech people on the site realise that all browsers, OS's and software have security vunerabilities regardless.

REM2000 said,

When was the last time someone trolled a microsoft security update, i think the tech people on the site realise that all browsers, OS's and software have security vunerabilities regardless.

I see this excuse used on every Apple topic, but I don't really see it.

AgentGray said,
how's teasing apple (who are arrogant with it's security) trolling for this.

Look, I'm no fan of Apple by far, but these jokes with their slogan or sayings come out each and every damn time they have a security related issue, hence the sarcasm as I said "clever". My point I guess is this: if you're going to come into every thread about Apple security, at least come with some fresh material.

Edited by dead.cell, May 10 2010, 8:39pm :

If someone is trolling MS news that doesnt mean that you have to troll Apple news, unless.. of course you are a troll...

protocol7 said,
Well, Steve was right. Cross-compiling does produce substandard apps.

no, Apple just doesnt know how to write Apps for other platforms. FireFox seems to be doing really well on Windows/OSX/Linux.

If it is done right and if the support is good, an app can be written for all platforms.

techbeck said,

no, Apple just doesnt know how to write Apps for other platforms. FireFox seems to be doing really well on Windows/OSX/Linux.

If it is done right and if the support is good, an app can be written for all platforms.

+1

what about itunes and quicktime?!

Heartripper said,

+1

what about itunes and quicktime?!

itunes and quicktime are both a joke and never worked well on Windows...at least not any of the times I tried them.

And does anyone even use QT anymore? I never even install it these days.

techbeck said,

itunes and quicktime are both a joke and never worked well on Windows...at least not any of the times I tried them.

And does anyone even use QT anymore? I never even install it these days.


I think nobody would use it anymore.... but it's bundled with itunes which is quite used thanks to ipod. Moreover QT is suggested by firefox to play mp3's such as the pop of FB's chat. Thank God VLC exists!

DClark said,

He must have thought that the vulnerability was published...or being sarcastic.

Sarcastic or not, a vulnerability that affects my platform or another does me no good. I don't go foaming at the mouth whenever a story about a Windows vulnerability pops up. I don't think any of the Mac users on Neowin do.

NeoTrunks said,

Sarcastic or not, a vulnerability that affects my platform or another does me no good. I don't go foaming at the mouth whenever a story about a Windows vulnerability pops up. I don't think any of the Mac users on Neowin do.

That's because it's so frequent nobody cares anymore. Now when a vulnerability pops which allows bad guys to infected mac's now that's entertaining.

Edited by warwagon, May 10 2010, 10:17pm :

Commenting is disabled on this article.