exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apple Security Advisory 2015-09-30-02

Apple Security Advisory 2015-09-30-02
Posted Oct 1, 2015
Authored by Apple | Site apple.com

Apple Security Advisory 2015-09-30-02 - Safari 9 is now available and addresses spoofing, communication compromise, and various other vulnerabilities.

tags | advisory, spoof, vulnerability
systems | apple
advisories | CVE-2015-3801, CVE-2015-5764, CVE-2015-5765, CVE-2015-5767, CVE-2015-5780, CVE-2015-5788, CVE-2015-5789, CVE-2015-5790, CVE-2015-5791, CVE-2015-5792, CVE-2015-5793, CVE-2015-5794, CVE-2015-5795, CVE-2015-5796, CVE-2015-5797, CVE-2015-5798, CVE-2015-5799, CVE-2015-5800, CVE-2015-5801, CVE-2015-5802, CVE-2015-5803, CVE-2015-5804, CVE-2015-5805, CVE-2015-5806, CVE-2015-5807, CVE-2015-5808, CVE-2015-5809, CVE-2015-5810
SHA-256 | f7eaab35b779b1ee16d519af96740060a307af52548f068b4694e3adf3b64512

Apple Security Advisory 2015-09-30-02

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2015-09-30-2 Safari 9

Safari 9 is now available and addresses the following:

Safari
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10.5 and OS X El Capitan v10.11
Impact: Visiting a malicious website may lead to user interface
spoofing
Description: Multiple user interface inconsistencies may have
allowed a malicious website to display an arbitrary URL. These issues
were addressed through improved URL display logic.
CVE-ID
CVE-2015-5764 : Antonio Sanso (@asanso) of Adobe
CVE-2015-5765 : Ron Masas
CVE-2015-5767 : Krystian Kloskowski via Secunia, Masato Kinugawa

Safari Downloads
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10.5 and OS X El Capitan v10.11
Impact: LaunchServices' quarantine history may reveal browsing
history
Description: Access to LaunchServices' quarantine history may have
revealed browsing history based on file downloads. This issue was
addressed through improved deletion of quarantine history.

Safari Extensions
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10.5 and OS X El Capitan v10.11
Impact: Local communication between Safari extensions and companion
apps may be compromised
Description: The local communication between Safari extensions such
as password managers and their native companion apps could be
comprised by another native app. This issue was addressed through a
new, authenticated communications channel between Safari extensions
and companion apps.

Safari Extensions
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10.5 and OS X El Capitan v10.11
Impact: Safari extensions may be replaced on disk
Description: A validated, user-installed Safari extension could be
replaced on disk without prompting the user. This issue was addressed
by improved validation of extensions.
CVE-ID
CVE-2015-5780 : Ben Toms of macmule.com

Safari Safe Browsing
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10.5 and OS X El Capitan v10.11
Impact: Navigating to the IP address of a known malicious website
may not trigger a security warning
Description: Safari's Safe Browsing feature did not warn users when
visiting known malicious websites by their IP addresses. The issue
was addressed through improved malicious site detection.
Rahul M (@rahulmfg) of TagsDock

WebKit
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10.5 and OS X El Capitan v10.11
Impact: Partially loaded images may exfiltrate data across origins
Description: A race condition existed in validation of image
origins. This issue was addressed by improved validation of resource
origins.
CVE-ID
CVE-2015-5788 : Apple

WebKit
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10.5 and OS X El Capitan v10.11
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-5789 : Apple
CVE-2015-5790 : Apple
CVE-2015-5791 : Apple
CVE-2015-5792 : Apple
CVE-2015-5793 : Apple
CVE-2015-5794 : Apple
CVE-2015-5795 : Apple
CVE-2015-5796 : Apple
CVE-2015-5797 : Apple
CVE-2015-5798 : Apple
CVE-2015-5799 : Apple
CVE-2015-5800 : Apple
CVE-2015-5801 : Apple
CVE-2015-5802 : Apple
CVE-2015-5803 : Apple
CVE-2015-5804 : Apple
CVE-2015-5805
CVE-2015-5806 : Apple
CVE-2015-5807 : Apple
CVE-2015-5808 : Joe Vennix
CVE-2015-5809 : Apple
CVE-2015-5810 : Apple
CVE-2015-5811 : Apple
CVE-2015-5812 : Apple
CVE-2015-5813 : Apple
CVE-2015-5814 : Apple
CVE-2015-5815 : Apple
CVE-2015-5816 : Apple
CVE-2015-5817 : Apple
CVE-2015-5818 : Apple
CVE-2015-5819 : Apple
CVE-2015-5821 : Apple
CVE-2015-5822 : Mark S. Miller of Google
CVE-2015-5823 : Apple

WebKit
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10.5 and OS X El Capitan v10.11
Impact: An attacker may be able to create unintended cookies for a
website
Description: WebKit would accept multiple cookies to be set in the
document.cookie API. This issue was addressed through improved
parsing.
CVE-ID
CVE-2015-3801 : Erling Ellingsen of Facebook

WebKit
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10.5 and OS X El Capitan v10.11
Impact: The Performance API may allow a malicious website to leak
browsing history, network activity, and mouse movements
Description: WebKit's Performance API could have allowed a malicious
website to leak browsing history, network activity, and mouse
movements by measuring time. This issue was addressed by limiting
time resolution.
CVE-ID
CVE-2015-5825 : Yossi Oren et al. of Columbia University's Network
Security Lab

WebKit
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10.5 and OS X El Capitan v10.11
Impact: Visiting a malicious website may lead to unintended dialing
Description: An issue existed in handling of tel://, facetime://,
and facetime-audio:// URLs. This issue was addressed through improved
URL handling.
CVE-ID
CVE-2015-5820 : Guillaume Ross, Andrei Neculaesei

WebKit CSS
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10.5 and OS X El Capitan v10.11
Impact: A malicious website may exfiltrate data cross-origin
Description: Safari allowed cross-origin stylesheets to be loaded
with non-CSS MIME types which could be used for cross-origin data
exfiltration. This issue was addressed by limiting MIME types for
cross-origin stylesheets.
CVE-ID
CVE-2015-5826 : filedescriptior, Chris Evans

WebKit JavaScript Bindings
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10.5 and OS X El Capitan v10.11
Impact: Object references may be leaked between isolated origins on
custom events, message events and pop state events
Description: An object leak issue broke the isolation boundary
between origins. This issue was addressed through improved isolation
between origins.
CVE-ID
CVE-2015-5827 : Gildas

WebKit Page Loading
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10.5 and OS X El Capitan v10.11
Impact: WebSockets may bypass mixed content policy enforcement
Description: An insufficient policy enforcement issue allowed
WebSockets to load mixed content. This issue was addressed by
extending mixed content policy enforcement to WebSockets.
Kevin G Jones of Higher Logic

WebKit Plug-ins
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10.5 and OS X El Capitan v10.11
Impact: Safari plugins may send an HTTP request without knowing the
request was redirected
Description: The Safari plugins API did not communicate to plugins
that a server-side redirect had happened. This could lead to
unauthorized requests. This issue was addressed through improved API
support.
CVE-ID
CVE-2015-5828 : Lorenzo Fontana

Safari 9 may be obtained from the Mac App Store.

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJWDB23AAoJEBcWfLTuOo7teGkQAK3KZHfKYeJ6NJP2rdBCeGGE
0zPFtcgjzbHSOG1KB5Q/gHBChmVukmgC/QCCueKmA5TOxXjhuEj2CRpe/+Zf349H
zvfdvU2Q4qM7byOY/q7g77Cae6K/nrnX7FaHRjdREniZUBIsm826o69Qbpeudlns
n4IhPIaUPiq0M+o1EzPgnHWJ1GpHcFD7C0bZ6tSlBea8iJi2Ai9EOZUXaskJg2mx
9tCijYN8IVKGApJT3CiFUHgx9zgDq9vbWJ1spnxwK0IgYd8zhEf18sZZmdAd5szS
bpU1KyFsFRYqRjV4ctTBhj8FnZ4Cjxxq9xXXGNrrlsIXBBRDENNiwUaHhoiYVBjH
mPV76aNQjgImbi2T3gamUFZLSB8IdklMbFXo+HYUX3k4eDis0f/dFRoDb4XWfXiX
168c79nGIc6bDz+7tP7Z7gC9rYCJRdJqHObky+2K1A43Urp1EkgH8oy+a2EbstfY
wvoQ/kUkFsDY3NM4xwa9gqhdYFcJSQy0kfzcZB/LinjLSEBkG/7nu+XuWlrwSavJ
qLvUyUpdP5ei0Scmz8YCymrf2aMG4yZEN4PyUkBPPW2DgNiXgbE5K+8kHnqmUlRF
OJ9+P/2tIED63euI0n1UcrfLOHAEUgZe2jmVfye7BB9KreVh02u/ziFl46Gghdsd
TksTuX7uQIiE70E/qZlh
=FuAM
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close