Security Hardware & IT Security Software - eWeek

Home

Security Hardware & IT Security Software

Apple Patches MacBook Air Hijack Flaw

Plan, Launch and Manage Your Data Centers More Efficiently

Turn Data into Results with Better Business Intelligence

Smarter Virtualization – Key Building Block for Dynamic Infrastructure


	Save Money and Improve Agility: Virtualize with Sun SPARC Enterprise M-Series Servers The Next Step in Virtualization: Moving Demanding Applications to Virtual Environments Powering Business Productivity with Dell OptiPlex Desktops See All Resources >

Security Hardware & IT Security Software

Apple Patches MacBook Air Hijack Flaw

Share
By: Ryan Naraine
2008-04-16
Article Rating:

/ 6

There are 1 user comments on this Security Hardware & IT Security Software story.

Rate This Article:

E-mail

PDF Version

The Safari 3.1.1 update includes a patch for the flaw that allowed the hijack of a MacBook Air laptop at the CanSecWest "PWN to OWN" security contest.

Apple has slapped a Band-Aid on its Safari for Windows browser to cover four vulnerabilities that could lead to code execution, cross-site scripting and URL spoofing attacks.

The Safari 3.1.1 update includes a patch for the flaw the allowed the hijack of a MacBook Air laptop at this year's CanSecWest "PWN to OWN" security contest.

Resource Library:

According to Apple's advisory, the CanSecWest bug was a heap buffer overflow in WebKit's handling of JavaScript regular expressions. WebKit is an open-source Web browser engine used by Safari.

"The issue may be triggered via JavaScript when processing regular expressions with large, nested repetition counts. This may lead to an unexpected application termination or arbitrary code execution," Apple warned, crediting contest winner Charlie Miller and TippingPoint Technologies' Zero Day Initiative for reporting the issue.

The Safari update, which is available for Windows XP, Windows Vista and Mac OS X (Tiger and Leopard), also provides the following fixes, according to Apple:

CVE-2008-1024 (available for Windows XP or Vista)—"A memory corruption issue exists in Safari's file downloading. By enticing a user to download a file with a maliciously crafted name, an attacker may cause an unexpected application termination or arbitrary code execution. … This issue does not affect Mac OS X systems."

CVE-2008-1025 (available for Mac OS X , Windows XP or Vista)—"An issue exists in WebKit's handling of URLs containing a colon character in the host name. Opening a maliciously crafted URL may lead to a cross-site scripting attack." The Google Information Security Team is credited with finding this vulnerability.

CVE-2007-2398 (available for Windows XP or Vista)—"A timing issue in Safari 3.1 allows a Web page to change the contents of the address bar without loading the contents of the corresponding page. This could be used to spoof the contents of a legitimate site, allowing user credentials or other information to be gathered. This issue was addressed in Safari Beta 3.0.2, but reintroduced in Safari 3.1."

	Reader Comments: Apple Patches MacBook Air Hijack Flaw
>>> Post your comment now!
	A user comment on this article This is Ryan Naraine. Are you happy with Apple's responsiveness to this security issue? Posted At: 04-16-08 By: Ryan Naraine

	>>> Post your comment now!



	>>> More Security Hardware & IT Security Software Articles >>> More By Ryan Naraine

Email Article To Friend ♦ Print Version Of Article ♦ PDF Version Of Article

FEATURED SPONSORED MESSAGE

Hitachi announces IT Operations Analyzer software

Monitor and diagnoses issues in multivendor network environments.

Web-based interface, agent-less, multiple network views and automated root cause analysis help maximize network availability and reduce expenses. Good for businesses with 50-250 nodes.

Download free 30-day trial

Brought to You By

FEATURED SPONSORED MESSAGE

Should You Be Using “up.time”?

Easily Monitor Virtual, Physical, and Cloud based assets, applications and services from a unified Dashboard with up.time

Deep Monitoring across platforms and best-of-breed reporting. Over 700 enterprise customers in 32 countries

Free Trial Download Here (Virtual Appliance available)

Brought to You By

Sponsors

DCIG Report: Get Near Real Time Backup & Recovery.

up.time Easily Monitors Virtual/Physical/Cloud. Free Trial.

Build your Multitenant Cloud App today on LongJump.

New & Easier Data Center Innovation & Integration.

Let Progress Software help your business make progress.

Expand on Demand. AT&T Synaptic Storage as a Service.

Learn more about EnterpriseDB @ the Postgres Center

See why ShoreTel is named best overall VoIP provider

CDW Healthcare offers the IT solutions you need.

One number. One voicemail. Sprint Mobile Integration.

10 Reasons to Upgrade to Windows Server 2008 R2.

See the easy to manage ScanSnap Network iScanner

FREE Sophos Encryption Tool: Encrypt, compress and share files easily.

	eWEEK RSS FEEDS and NEWSLETTERS
	Get eWEEK news delivered to your desktop with RSS eWEEK Free Newsletters

Issue Index \| Contact Us \| About \| Advertise \| Magazine Customer Service \| Site Map
	Security: Enterprise Networking Network Security Infrastructure Security How To: Data IT Security News Security Watch Blog Secure Channel Blog Storage: Data Storage Cloud Storage Storage Virtualization Network Access Storage Storage Reviews Storage News How To: Storage Storage Station Blog Computing: Apple OSX Linux Systems Windows 7 Managed Print Services Computer Reviews Microsoft Watch Blog Apple Watch Blog Google Watch Blog Communications: Enterprise Mobility Zone VoIP Solutions Wireless Technology Messaging Software Web Services Wireless News Mobile Reviews Apps & Development: Application Development Enterprise Apps Search Engines Database Software Web 2.0 IT Project Management Emerging Tech Blog CIO Insight Blogs CIOs
	Vertical Markets: Federal Government IT Health Care IT Finance IT Mid-Market Channel and VARs Careers Blog Value Added Resellers More eWeek Links: Green Computing Center Tech Knowledge Center Tech Newsletters Tech RSS Feeds White Papers Tech Podcasts Tech Videos Magazine Subscriptions Enterprise Websites: ZDE Home eWeek Baseline Magazine Channel Insider CIO Insight eSeminars and Events Publish Online Web Buyers Guide Developer Websites: Microsoft DevSource Dev Shed DeveloperShed ASP Free SEO Chat Codewalkers Tutorialized Scripts.com Dev Mechanic Dev Articles Web Hosters Dev Hardware Technology Websites: Device Forge Desktop Linux Linux Devices Windows for Devices PDF Zone Linux Watch Windows Migration Smarter Technology Enterprise TechBrief
	Use of this site is governed by our Terms of Use and Privacy Policy Copyright ©1996-2010 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited. eWeek is your best source for the latest Technology News. ZDE Cluster 9 hosted by Hostway.

Apple Patches MacBook Air Hijack Flaw

Suggested Related Content: