[ISN] Apple Patches More Holes

From: InfoSec News (alerts@private)
Date: Mon Jun 25 2007 - 22:11:33 PDT

Previous message: InfoSec News: "[ISN] The struggle to protect enterprise data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

http://www.eweek.com/article2/0,1895,2150857,00.asp

By Lisa Vaas
June 25, 2007

Apple has updates out for security problems in WebCoreMac OS X's HTML 
layout engineand WebKit, the application framework that serves as an 
underpinning for Apple's Safari browser as well as many other Mac 
applications.

Security Update 2007-006 takes care of an HTTP injection bug that occurs 
in WebCore's XMLHttpRequest when it's serializing headers into an HTTP 
request. The vulnerability can lead to cross-site scripting attacks if a 
victim is be lured to a maliciously crafted site.

The WebCore issue affects Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac 
OS X v10.4.9 or later, and Mac OS X Server v10.4.9 or later.

The other issue, concerning Apple's WebKit browser engine, could also 
make a Mac OS X application user vulnerable to attack if he or she were 
to visit a maliciously crafted site.

WebKit serves as an engine not only for the Safari browser but also for 
many other Mac OS X applications, including Dashboarda set of widgets 
that delivers real-time weather, stock tickers, flight status and other 
informationand Mail, the Apple mail client provided with every Mac 
operating system installation.

The problem with WebKit is an invalid type conversion when rendering 
frame sets, which can lead to memory corruption. Results range from the 
application quitting on up to a targeted system getting hijacked with 
arbitrary code execution.

Apple's update for the WebKit glitch is available for Mac OS X v10.3.9, 
Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later, and Mac OS X Server 
v10.4.9 or later.

These updates can be downloaded and installed automatically via Apple's 
Software Update preferences, or from Apple Downloads.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com

Previous message: InfoSec News: "[ISN] The struggle to protect enterprise data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jun 25 2007 - 22:29:11 PDT