Apple Safari Security Update Patches AutoFill Flaw

Apple has patched a bug in Safari just 24 hours before it featured in a researcher's presentation about browser exploits.

The Safari AutoFill flaw was among 15 fixed by Apple July 28 in a Safari update. All but two of the bugs reside in the WebKit browser engine. Several of the WebKit bugs could lead to arbitrary code execution, such as a memory corruption issue in WebKit's handling of regular expressions that could be used by a malicious site to execute code.

Much of the attention, however, has focused on the AutoFill flaw, which will be part of a presentation July 29 by WhiteHat Security CTO Jeremiah Grossman at the Black Hat security conference in Las Vegas. By taking advantage of what Apple called an "implementation issue," Grossman discovered, it was possible for attackers to abuse Safari's AutoFill feature to swipe names, addresses and other information from Safari users.

The AutoFill feature fills in information such as e-mail addresses and names by default when it recognizes a form. The feature pulls the data from the local operating system address book to automatically fill HTML form text fields with specific attribute names such as name and city.

According to Apple, an implementation issue exists that allows a maliciously crafted Web site to trigger AutoFill without user interaction and that can result in the disclosure of information from the user's Address Book Card.

In a blog post July 21, Grossman noted, "All a malicious Website would have to do" to steal the Address Book card data is "dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated that is AutoFilled, it can be accessed and sent to the attacker."

At Black Hat, Grossman said it seemed like Apple had fixed the bug. In his talk, he will demonstrate how attackers can hack the auto-complete features of popular browsers, including Internet Explorer and Firefox, to get information.