Security threats Toolkit

Apple patches Safari phishing flaw

Tags:
Apple Filing Protocol,
Patch,
SquirrelMail,
Cyrus

Published: 22 Mar 2005 09:15 GMT

Apple has released nearly a dozen fixes for flaws in its Mac OS operating system, including a script for preventing phishers from fooling users of its Safari browser.

The script, released Monday, tackles a pernicious phishing problem in browsers. The loophole could allow an attacker to use certain characters from different languages to create legitimate-looking Web addresses that actually send victims to malicious Web sites. The security problem affected all browsers that supported Internationalised Domain Names, or IDN, and is not Apple-specific.

"For example, the Cyrillic letter 'a' could be used in place of the Latin letter 'a,' making it difficult for a user to tell if they are at www.apple.com or a malicious imposter website that's designed to look like the real one," the company said in an advisory discussing the problem. "These sites can be used to collect account numbers, passwords and other personal information."

Other browsers affected by the IDN security issue include the Mozilla Foundation's Mozilla and Firefox, and Opera. Both Mozilla and Opera Software have issued fixes for the problem. Microsoft's Internet Explorer does not support IDN, so it is not vulnerable to such attacks. However, plug-ins that add IDN functionality to Internet Explorer do put it at risk.

The newly released patches take care of flaws in the Apple Filing Protocol server and the Samba filing-sharing server, as well as multiple issues with the Cyrus authentication software, Mailman, SquirrelMail and Cyrus mail software.

The patches can be downloaded from Apple's Web site or automatically installed via Apple's Software Update tool.

Apple has moved to a regular release schedule, publishing fixes every month. The first major company to embrace a monthly patch process was Microsoft, and database maker Oracle has also moved to regular releases, but on a quarterly basis.