Newly patched Safari flaws pose serious risks

SELLER OF SHINY TOYS Apple has released an update to its Safari web browser to address a flurry of vulnerabilities that could be exploited to execute arbitrary code.

Safari 5.1.1 for Mac OS X and Windows contains fixes for a whopping 43 security issues, most of which are in the Webkit page rendering engine and were reported upstream by the Chromium project.

All but six of the vulnerabilities can be exploited to remotely execute arbitrary code by tricking victims into visiting maliciously crafted web pages, while 35 of them involve memory corruption errors.

Three of the non-RCE (remote code execution) flaws are cross-site scripting weaknesses, one can be leveraged to bypass cookie restrictions while in Private Mode, one can be used to track URLs loaded in frames, and one allows rogue Javascript code to be executed in the context of installed extensions.

One particular flaw identified as CVE-2011-3230 is probably the most dangerous vulnerability patched by this update because it is trivial to exploit and proof-of-concept attack code already exists for it, having been published by it's discoverer, security researcher Aaron Sigel.

The flaw allows "file://" URL security restrictions to be bypassed. "This allows you to send any 'file:' url to LaunchServices, which will run binaries, launch applications, or open content in the default application, all from a web page," Sigel warns.

"The only caveat is that since LaunchServices will check for the quarantine bit, you cannot directly push a binary to the browser and launch it," he explains.

Another vulnerability also discovered by Sigel and patched by Apple in Safari 5.1.1 consists of a directory traversal issue with "safari-extension://" URL handling and is identified as CVE-2011-3229. "Attackers can create malicious websites that trigger Safari to send files from the victim's system to the attacker," the researcher warns.

Unlike CVE-2011-3230, which can only be exploited on Mac OS X, this vulnerability can be attacked on Windows as well. In fact, it appears that the Safari extension sandbox is broken or missing on Windows, making this flaw even more dangerous on Microsoft's operating system, as it gives attackers access to any files the user can read.

Both Windows and Mac OS X users should install this Safari update as soon as possible to prevent their systems and information from being compromised. µ