Apple, Mozilla patch browser security problems

Share this article:

Apple and Mozilla on Wednesday issued patches to their browser products, Safari and Firefox.

For Apple's Safari, the patch fixes vulnerabilities that could be exploited to launch cross-site scripting attacks or execute arbitrary code, activated when a user visits a malicious website.

The problem lies in the WebKit open-source HTML rendering engine used by Safari. Specifically, an error exists in the handling of URLs containing a colon character in the host name, according to vulnerability tracking firm Secunia.

This can be exploited to conduct cross-site scripting attacks when a specially crafted URL is opened. Also, an integer overflow error exists that can be exploited to cause a buffer overflow via specially written regular expressions.

Apple's patches fix the Windows version of Safari, as well as the version designed for Macs, which are affected to a lesser degree. Four vulnerabilities patched affect the Windows version, while only two impact the Safari for Mac version.

Windows users can obtain the latest version using the bundled Apple Software Update application, while Mac users get it with a built-in software update feature.

The Firefox update fixes vulnerability in the way Firefox handles JavaScript garbage collection, which can be exploited to cause memory corruption and possibly allow execution of arbitrary code.

According to Mozilla, "This is being fixed primarily to address stability concerns. We have no demonstration that the garbage collection crash is exploitable, but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past."

The vulnerability affects version 2.0.0.13, though prior versions may also be affected.

Mozilla's Thunderbird email client shares the Firefox browser engine and could be vulnerable if JavaScript is enabled in email. The fix is contained in Firefox 2.0.0.14.

 

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.