14 DAY TRIAL // A highly critical Safari vulnerability, which facilitates remote code execution, has been disclosed as a zero-day at the end of last week. Because no patch is available the United States Computer Emergency Readiness Team (US-CERT) recommends disabling JavaScript entirely in the browser.
In a security advisory released on Friday, vulnerability intelligence company Secunia, warns that the latest version of Safari for Windows (4.0.5) is vulnerable to remote attacks that can result in sensitive information disclosure or arbitrary code execution. "A vulnerability and a security issue have been discovered in Apple Safari, which may lead to exposure of sensitive information or can be exploited by malicious people to compromise a user's system," the company writes.
Secunia rates the remote code execution bug as highly critical and credits Polish security researcher Krystian Kloskowski with its discovery. The problem results from improper handling of reference to window objects. "Safari can allow a window object to be deleted while references to the object may still exist. If JavaScript code then attempts to use the deleted window object, this can result in the use of an invalid pointer. This pointer can be controlled by an attacker through the use of JavaScript," US-CERT explains in its own advisory.
The Secunia report also mentions a separate sensitive information disclosure issue discovered by Vin Lisciandro. "Safari includes HTTP basic authentication credentials in an HTTP request if a web page that requires HTTP basic authentication redirects to a different domain (e.g. via a 'Location' header)," the Danish vulnerability management vendor informs.
Since there is no patch available, the only mitigation for the code execution attack involves disabling the browser's JavaScript support entirely. This can be done by opening Safari's Preferences menu, going to the Security tab and clearing the "Enable JavaScript" checkbox.