Another Zero-Day Hole Found in Safari
Safari 4.0.5 has what researchers are calling a "highly critical" vulnerability
that can potentially allow a hacker to install malware on Windows PCs. Analysts from Secunia, the security service provider from Denmark, believe that the same hole could exist on the Mac version as well, but this has not yet been confirmed. As yet there have been no known attacks in the wild exploiting the vulnerability.
The zero-day hole involves a bug in the way Safari handles parent windows that would allow an attacker "to execute arbitrary code when a user visits a specially-crafted webpage and closes opened pop-up windows," Secunia's advisory reads. The US government's Computer Emergency Readiness Team (CERT) confirmed the vulnerability
, and additionally notes that the hole can be exploited by HTML mail that's read using Safari, putting users of services like Gmail and Hotmail at risk. The US CERT warns that "exploit code for this vulnerability is publicly available."
Polish researcher Krystian Koskowski discovered the hole, and executed a proof-of-concept hack in Secunia's labs. The firm gives the vulnerability "highly critical," the second-highest rating on its five-level scale.