Apple Fixes Webkit Flaws in Safari

Monday, May 11, 2015 @ 04:05 PM gHale

Apple updated its Safari browser to clear up three memory corruption vulnerabilities in its Webkit.

The flaws ended up found by Apple’s security team who will address the issues by improving memory handling. These vulnerabilities can end up exploited for remote code execution as well as simply causing the application to crash.

Ransomware Focuses on Outdated Plug-Ins
Malware Goes Invisible
New Ransomware Hits the Street
Destructive Hacks Growing

Apple issued an advisory giving more details on the vulnerabilities.

Still, security updates that address the Safari flaws and other patch updates are available for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.3, and Apple advises its users to update their installations as soon as possible.

One of the bugs, CVE-2015-1155, found that visiting a maliciously crafted website could compromise user information on the filesystem. A state management issue existed in Safari that allowed unprivileged origins to access contents on the filesystem, according to the advisory. This issue ended up addressed through improved state management.

CVE-2015-1156 found if a user visited a malicious website by clicking a link may lead to interface spoofing. Visiting a malicious website by clicking a link may lead to user interface spoofing. That meant an issue existed in the handling of the rel attribute in anchor elements, according to the advisory. Target objects could get unauthorized access to link objects. This issue ended up fixed through improved link type adherence.

Apple’s fix for the problems is in new versions of Safari, which now comes in versions Safari 8.0.6, Safari 7.1.6, and Safari 6.2.6 for OS X Mountain Lion, Mavericks and Yosemite respectively. The problems hit Mac OS only – there’s no word the iOS versions of the browser need a fix.

In CVE-2015-1152, CVE-2015-1153, and CVE-2015-1154, visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Multiple memory corruption issues existed in WebKit, according to the advisory. These issues ended up addressed through improved memory handling.

Leave a Reply

You must be logged in to post a comment.