Apple issues patch for Safari, as details of AutoFill vulnerability will be demonstrated today at the Black Hat conference
Apple has issued a fix for its Safari browser ahead of a demonstration of a vulnerability at the Black Hat conference later today.
Jeremiah Grossman, founder and CTO of WhiteHat Security, will present the vulnerability at the conference in Las Vegas, Nevada, later today. According to Kaspersky's Threat Post website, the major update to Safari includes a number of security fixes, most importantly a patch for the AutoFill vulnerability, which was recently disclosed by Grossman.
Safari 5.0, which was released on Wednesday by Apple, gives users protection against several flaws, including the AutoFill weakness, which enabled attackers to harvest a users' personal information from the browser.
In a blog update last week entitled 'I know who your name, where you work, and live', Grossman pointed to the AutoFIll feature as being vulnerable, and said that 'essentially we are hacking autocomplete functionality'. Upon delivering a vulnerability disclosure prior to public discussion to Apple on 17th June, Grossman said that he received 'a gleeful auto-response', and until the patch was issued he had 'no idea when or if Apple plans to fix the issue, or even if they are aware', but said that Safari users only need to disable AutoFill web forms to protect themselves.
The new version of Safari also fixes 14 vulnerabilities in WebKit, the open source layout engine that Safari uses.
Andrew Storms, director of operations at nCircle, said: “Every year at least one vendor is coerced into releasing a security fix on the heels of a Black Hat presentation. Apple's Safari update seems to anticipate - at least in part - the response to Jeremiah Grossman's talk about autocomplete flaws in web browsers. With or without the Black Hat related hype, this release contains enough critical bugs to warrant quick installation.”
The Black Hat conference, which started yesterday, is also set to reveal flaws in SSL certification and ATM machines, according to media reports. White Hat hacker Chris Paget will also demonstrate a phone vulnerability at the Def Con conference, also held in Las Vegas, where he will reportedly hack into the mobile phones of delegates.