About-face: Apple patches Safari ‘carpet bombing’ bug

June 19th, 2008

About-face: Apple patches Safari 'carpet bombing' bugIn what amounts to a major about-face, Apple has patched the Safari “carpet bombing” vulnerability that led to a Safari-to-Internet Explorer remote code execution combo threat.

After insisting for weeks that the issue is more of an irritant than a security risk, Apple today released Safari v3.1.2 for Windows with a patch warning that saving untrusted files to the Windows desktop may lead to the “execution of arbitrary code.”

[ SEE: Apple under pressure to fix Safari flaw ]

From Apple’s advisory:

An issue exists in how the Windows desktop handles executables. Saving an untrusted file to the Windows desktop may trigger the issue, and lead to the execution of arbitrary code. Web browsers are a means by which files may be saved to the desktop. To help mitigate this issue, the Safari browser has been updated to prompt the user prior to saving a download file. Also, the default download location is changed to the user’s Downloads folder on Windows Vista, and to the user’s Documents folder on Windows XP. This issue does not exist on systems running Mac OS X.

The bulletin cites Microsoft’s security advisory on the combo-threat discovered by researcher Aviv Raff.

Safari v3.1.2 for Windows, available for Windows XP and Vista, also fixes at least three additional vulnerabilities that could lead to  information disclosure and code execution attacks.

One of the other three bugs also describes a combo threat that goes the other way –  Internet Explorer to Safari:

Visiting a malicious website which is in a trusted Internet Explorer zone may lead to the automatic execution of arbitrary code
Description:  If a website is in an Internet Explorer 7 zone with the “Launching applications and unsafe files” setting set to “Enable”, or if a website is in the Internet Explorer 6 “Local intranet” or “Trusted sites” zone, Safari will automatically launch executable files that are downloaded from the site. This update addresses the issue by not automatically launching downloaded executable files, and by prompting the user before downloading a file if the “always prompt” setting is enabled.

The IE-to-Safari threat was reported by Will Dormann of CERT/CC .

 [ SEE: Why Apple must fix Safari ‘carpet bombing’ flaw immediately ]

The browser refresh also plugs a memory corruption issue in WebKit’s handling of JavaScript arrays. “Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution,” Apple warned.

The fourth vulnerability is an out-of-bounds memory read that may occur in the handling of BMP and GIF images.

[Source: Zdnet]