Threat Center Security News Apple Fixes CanSecWest Hole
Apple Fixes CanSecWest Hole Print E-mail
Written by Rebecca Mints   
Wednesday, 16 April 2008 18:00

The vulnerability that won Charlie Miller $10,000 and a Macbook in the "PWN to Own" contest held in late March in Vancouver, B.C. at the CanSecWest security conference has been plugged by Apple in their latest update for Safari version 3.1.1. The update also addressed several other vulnerabilities as well.


The name of the flaw that Charlie Miller exposed to win the contest at CanSecWest is CVE-2008-1026. Via a carefully crafted Web page, the vulnerability would allow a code execution attack to take place. Apple's summary of the error was: "A heap buffer overflow exists in WebKit’s handling of JavaScript regular expressions. The issue may be triggered via JavaScript when processing regular expressions with large, nested repetition counts. This may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions." The affected operating systems are: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2, Windows XP or Vista.


Along with Charlie's bug Apple also addressed a few other vulnerabilities in their latest update. One was CVE-2008-1025, which is an XSS vulnerability. Apple commented: "An issue exists in WebKi’s handling of URLs containing a colon character in the host name. Opening a maliciously crafted URL may lead to a cross-site scripting attack. This update addresses the issue through improved handling of URLs." That one affects Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2, Windows XP or Vista. CVE-2008-1024 was also fixed. This one would be exploited by an unsuspecting user visiting a maliciously crafted Web site which could then lead to an unexpected application shutting down or possibly allowing for arbitrary code execution. The problem was the Safari's file downloading has a memory corruption error. Another vulnerability that was fixed was CVE-2008-2398. This one also affected Safari on Vista and XP. Again exploited by visiting a maliciously crafted Web site, this one would allow for control of the contents of the address bar. Even though this is an old issue that was taken care of in Safari Beta 3.0.2 somehow the problem appeared again in Safari 3.1.



REFERENCES:
ZDNet
Apple plugs Pwn2Own winning vulnerability

 

WTW Threat Level