Stephen Withers
Friday, 13 February 2009 11:14
IT Industry -
Market
Page 1 of 3
Apple has released a wide-ranging set of Mac OS X security updates, including a fix for the Safari RSS issue. There's also a pair of Java updates for Tiger and Leopard.
In January 2009, Brian Mastenbrook notified Apple and then warned the wider community about a Safari vulnerability "to an attack that allows a malicious web site to read files on a user's hard drive without user intervention."
It wasn't necessary for the user to take advantage of Safari's RSS features, only that a web page containing such a malicious URL to be opened in Safari.
Mastenbrook initially recommended that users adjust Safari's preferences so that a different program was used to handle feed: URLs. He later recommended the use of a third-party utility to ensure that feeds: and feedsearch: URLs were diverted from Safari.
It turns out that there were multiple input validation issues in Safari's handling of feed: URLs, allowing the execution of arbitrary JavaScript in the local security zone.
The problem has been fixed by Security Update 2009-001 for Mac OS X (10.4.11 Tiger and 10.5.6 Leopard) and Safari 3.2.2 for Windows (XP and Vista).
Several of the patches in Security Update 2009-001 concern third-party components used in Mac OS X, including ClamAV (server versions only), fetchmail, perl, python, SquirrelMail (server versions only), X11 and XTerm.
Once again, Apple has been less than quick to deliver these updates to its customers. Please
read on.
Latest Headlines from IT INDUSTRY
