Safari 3.1.1 Flaws Patched, Charlie Miller Exploit

Apple has released Safari 3.1.1 for Mac and Windows to address four security issues, one of which was exploited by Security Expert Charlie Miller to gain access to a MacBook Air OSX 10.5.2 compuer three weeks ago.

Back in March, Miller was taking part in the CanSecWest Conference in Vancouver, Canada, where computer experts were invited to break into any of three machines - a MacBook Air running OSX 10.5.2, Sony Vaio VGN-TZ37CN running Vista SP1, and the Fujitsu U810 notebook running Ubuntu 7.10.

Miller, who works as an analyst at Independent Security Evaluators, chose the Apple Inc operating system for a simple reason: ”It was the easiest one of the three,” - he said. He managed to hack into the MacBook Air in only 2 minutes by visiting a Web site with exploit code he created. The code allowed him to take control of the computer through Apple’s Safari browser.

According to Apple’s security release notes, the following update concerns Charlie Miller’s exploit (CVE-2008-1026):

A heap buffer overflow exists in WebKit’s handling of JavaScript regular expressions. The issue may be triggered via JavaScript when processing regular expressions with large, nested repetition counts. This may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions.

Another update for Mac includes changes to WebKit to improve handling of URLs in order to prevent a cross-site scripting attack (CVE-2008-1025). WebKit, an open-source Web browser engine used by Safari, is also part of Apple’s Dashboard and Mail software.

The Safari update for Windows XP and Vista (CVE-2007-2398) address a timing issue in Safari 3.1 which allows a web page to change the contents of the address bar and spoof the contents of a legitimate site, allowing user credentials to be compromised.

Another Safari update for XP and Vista (CVE-2008-1024) deals with a memory corruption issue in Safari’s file downloading, which may cause an attacker to cause an unexpected application termination or arbitrary code execution.

Safari 3.1.1. is available as a free download from Apple Downloads web site. Apple’s release notes state that this update is “recommended for all Safari users and includes improvements to stability, compatibility and security.”