http://www.eweek.com/article2/0,1895,2150857,00.asp By Lisa Vaas June 25, 2007 Apple has updates out for security problems in WebCoreMac OS X's HTML layout engineand WebKit, the application framework that serves as an underpinning for Apple's Safari browser as well as many other Mac applications. Security Update 2007-006 takes care of an HTTP injection bug that occurs in WebCore's XMLHttpRequest when it's serializing headers into an HTTP request. The vulnerability can lead to cross-site scripting attacks if a victim is be lured to a maliciously crafted site. The WebCore issue affects Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later, and Mac OS X Server v10.4.9 or later. The other issue, concerning Apple's WebKit browser engine, could also make a Mac OS X application user vulnerable to attack if he or she were to visit a maliciously crafted site. WebKit serves as an engine not only for the Safari browser but also for many other Mac OS X applications, including Dashboarda set of widgets that delivers real-time weather, stock tickers, flight status and other informationand Mail, the Apple mail client provided with every Mac operating system installation. The problem with WebKit is an invalid type conversion when rendering frame sets, which can lead to memory corruption. Results range from the application quitting on up to a targeted system getting hijacked with arbitrary code execution. Apple's update for the WebKit glitch is available for Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later, and Mac OS X Server v10.4.9 or later. These updates can be downloaded and installed automatically via Apple's Software Update preferences, or from Apple Downloads. _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon Jun 25 2007 - 22:29:11 PDT