Apple patches Safari web browser security flaws
Wednesday, August 12, 2009
Apple issued six security bulletins on Tuesday for its Safari web browser, version 4.0.3, including a flaw in Top Sites that could allow an attacker to insert malicious sites in the browser for a phishing attack.
Safari 4's Top Sites feature allows users to see their favorite websites previewed within the browser. Apple said a security flaw in this feature could allow a malicious website to promote arbitrary sites into the Top Sites view through automated actions, including sites designed for stealing personal information in a phishing attack.
Apple said it addressed the issue by preventing automated website visits from affecting the Top Sites list.
"Only websites that the user visits manually can be included in the Top Sites list," Apple said in its security bulletin. "As a note, Safari enables fraudulent site detection by default. Since the introduction of the Top Sites feature, fraudulent sites are not displayed in the Top Sites view."
Another flaw in WebKit, the browser engine that drives Safari, could allow attackers to insert look-alike characters in URLs to direct users to phishing websites.
Last week, the company issued patches for Mac OS X 10.5.8, called Leopard. That update contained several non-security fixes for technical errors to the Safari web browser version 4.0.2.
Related News:
Password security a tall order for many web users - 1.22.2010
A recently released study from tech researcher Imperva showed that the most popular password among users whose accounts were compromised in the recent RockYou data breach was as follows: 123456.
Facebook fixes "wrong friends list" mobile network security glitch - 1.22.2010
CNET reports that social media network Facebook has repaired a problem in the mobile version of its service that caused some mobile users to have full access to the friends lists of unassociated users.
Automated phishing scam hits bank customers - 1.14.2010
Phishing attacks do not target victims exclusively via email, experts say, pointing to a recent rash of automated phone calls that attempted to convince victims to give up sensitive banking information.
Scammers ride aftershocks of Haiti catastrophe - 1.14.2010
The Federal Bureau of Investigation has issued a warning to those who want to contribute to earthquake relief efforts in Haiti, saying that cyber criminals and other types of scam artists are trying to take advantage of an outpouring of humanitarian support.
Banking Trojans finding new vector with fake Outlook alerts - 1.11.2010
A spurious alert purporting to come from Microsoft Outlook has cropped up in recent weeks, according to a maker of email filtering software.
|
