Safari 3.x remains vulnerable: time to upgrade to 4.0?

Stephen Withers
Wednesday, 10 June 2009 03:32

Business IT - Security

At least two of the security flaws addressed in the release version of Safari 4.0 can be used to attack Safari 3.x. Proofs of concept are in circulation.

When we reported on the security fixes delivered in Safari 4.0, we noted that it wasn't clear whether they all related to the 4.0 beta or if any could also be found in Safari 3.x.

We asked Apple for clarification, and have yet to receive a reply beyond a statement that Safari 4.0 "is the full update that replaces the previous beta version of Safari 4.0 and any previous editions of Safari."

But if one security researcher is correct, at least two of the addressed vulnerabilities can be found in Safari 3.x for Mac OS X and Windows.

According to Google employee Chris Evans, Safari's XML processing can be fooled into delivering the contents of a local file. Not nice.

"XXE [Xml eXternal Entity] attacks are most common server-side; this advisory notes a client-side attack against the Safari browser," observes Evans, who has provided a proof of concept for this vulnerability.

He also notes that a second XML flaw allows cross-domain access with the potential to steal sensitive information. For this vulnerability, Evans' proof of concept shows how it can be used to steal inbox details from a logged-in Gmail session.

According to Evans' descriptions of the issues, both problems were "found on Google's time" and originally reported to Apple in June 2008.

Barring the prompt arrival of a Safari 3.x update from Apple, this suggests that if you can upgrade to Safari 4.0 then you probably should.