An error in the handling of parent windows can result in a function call using an invalid pointer. This can be exploited to execute arbitrary code when a user e.g. visits a specially crafted web page and closes opened pop-up windows, Secunia announced.
The security issue is caused due to Safari including HTTP basic authentication credentials in an HTTP request if a web page that requires HTTP basic authentication redirects to a different domain (e.g. via a "Location" header).
The vulnerability and the security issue are confirmed in Safari version 4.0.5 for Windows.
The company recommends users not to visit untrusted web sites or follow links from untrusted sources. In addition, users should not authenticate to sites that use HTTP basic authentication and use redirections to different domains.
US-CERT also confirmed the vulnerability affecting Apple Safari.
"By convincing a user to open a specially crafted web page, an attacker may be able to execute arbitrary code. Exploit code for this vulnerability is publicly available," US-CERT said.