By Lisa Vaas
June 25, 2007
Apple has updates out for security problems in WebCoreMac OS X's HTML
layout engineand WebKit, the application framework that serves as an
underpinning for Apple's Safari browser as well as many other Mac
Security Update 2007-006 takes care of an HTTP injection bug that occurs
in WebCore's XMLHttpRequest when it's serializing headers into an HTTP
request. The vulnerability can lead to cross-site scripting attacks if a
victim is be lured to a maliciously crafted site.
The WebCore issue affects Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac
OS X v10.4.9 or later, and Mac OS X Server v10.4.9 or later.
The other issue, concerning Apple's WebKit browser engine, could also
make a Mac OS X application user vulnerable to attack if he or she were
to visit a maliciously crafted site.
WebKit serves as an engine not only for the Safari browser but also for
many other Mac OS X applications, including Dashboarda set of widgets
that delivers real-time weather, stock tickers, flight status and other
informationand Mail, the Apple mail client provided with every Mac
operating system installation.
The problem with WebKit is an invalid type conversion when rendering
frame sets, which can lead to memory corruption. Results range from the
application quitting on up to a targeted system getting hijacked with
arbitrary code execution.
Apple's update for the WebKit glitch is available for Mac OS X v10.3.9,
Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later, and Mac OS X Server
v10.4.9 or later.
These updates can be downloaded and installed automatically via Apple's
Software Update preferences, or from Apple Downloads.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com