'Highly critical' bug found in latest version of Safari

Safari logo

A "highly critical" zero-day flaw has been discovered in the latest version of Apple's Safari browser that could allow attackers to infect Windows PCs with malicious code.

The vulnerability, discovered by Polish security researcher Krystian Kloskowski on Friday, was first reported by Danish vulnerability tracking service Secunia and confirmed by the US Computer Emergency Readiness Team (US-CERT). It has been confirmed for version 4.0.5 of Safari for Windows, while there are unconfirmed reports that the latest Mac version may also be vulnerable.

According to Secunia's alert, which rated the vulnerability "highly critical" the second highest rating in its five-step threat-assessment system the bug is caused by an error in the handling of the browser's parent windows, and can result in a "function call using an invalid pointer".

Attackers can subsequently exploit the vulnerability by creating a malicious website and enticing users to visit the page, unwittingly downloading malicious code onto their computers by visiting the site and closing opened pop-up windows.

US-CERT added that another scenario could see attackers duping users into opening rigged HTML-based emails within Safari.

Apple has yet to respond to the reports. Until a patch has been issued, US-CERT advises disabling Javascript on affected versions of the browser to reduce the threat. This can be done in Safari's Preferences menu.

While Kloskowski's original report included a proof-of-concept build, so far there have been no reports of any real-world attempts to exploit the vulnerability.