Security Experts:

Apple Plugs Gaping Holes in Safari Browser

One month after a group of Chinese researchers exploited a critical WebKit bug to break into -- and hijack private data -- from a fully patched iPhone, Apple has shipped a Safari update to fix the vulnerability.

The patch, available for Safari 6.1.1 and Safari 7.0.1, fixes a total of nine security vulnerabilities, the most serious of which allows malicious hackers to launch drive-by downloads using rigged Web sites.

Safari Security Fixes

The new Safari update comes just over a month after Keen Team, a group of Chinese researchers, demonstrated two iPhone exploits via Safari to capture Facebook credentials (iOS version 7.0.3) and hijack photographs (iOS aversion 6.1.4).

Keen Team's exploits were delivered as part of the Mobile Pwn2Own hacking challenge at the PacSecWest security conference in Japan.

Here's the explanation from HP, one of the Pwn2Own sponsors:

The first was an application exploit. Via Safari, the team were able to steal a Facebook cookie that was then exfiltrated and used to compromise the targeted Facebook account from another machine. In order for the exploit to work, a user would need to click on a link in an email, an SMS, or a web page, so some social engineering would be required to prompt a user to take an action before their credentials could be compromised.

According to documentation from Apple, the security holes resided in WebKit. The company confirmed that visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

The Safari update also includes a patch for a bug that disclosed user credentials to an unexpected site via autofill.

"Safari may have autofilled user names and passwords into a subframe from a different domain than the main frame. This issue was addressed through improved origin tracking," Apple explained.

Related: Hackers Demo Two iPhone Exploits via Safari at Mobile Pwn2Own

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a journalist and cybersecurity strategist with more than 20 years experience covering IT security and technology trends. He is a regular speaker at cybersecurity conferences around the world. Ryan has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's career as a journalist includes bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Follow Ryan on Twitter @ryanaraine.