Krystian Kloskowski discovered the zero-day exploit, which could lead to drive-by malware downloads via the Apple Safari web browser. This is according to a security advisory issued by Secunia, a Copenhagen-based provider of application security services.
The security vendor rates this particular code execution vulnerability as “highly critical” in its security advisory. “The vulnerability is caused due to an error in the handling of parent windows and can result in a function call using an invalid pointer”, noted the Safari advisory. “This can be exploited to execute arbitrary code when a user, e.g., visits a specially crafted web page and closes opened pop-up windows.”
It’s not entirely clear if this would affect the Mac version of the Safari browser, as this vulnerability has only thus far been demonstrated in version 4.0.5 for Windows. Secunia warns, however, that the exploit may affect other versions of Safari as well.
Peter James from Mac security provider Intego said there was a good possibility that the Mac version of Safari was susceptible to this exploit “since the two programs share a large part of their code base”. In his security blog, the Intego spokesperson said his company would keep tabs on this unpatched security flaw, confirming the severity of the Safari hole.