Secunia Security Advisory - Some vulnerabilities have been reported in Apple Safari, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, conduct spoofing or cross-site scripting attacks, and potentially compromise a user's system.
2dfa7700b2f57daebf2c9159b4442a01cd9668040a72a248a7830b4dbb40c338
----------------------------------------------------------------------
Secunia CSI integrated with Microsoft WSUS and Microsoft SCCM for 3rd party Patch Management
Free webinars
http://secunia.com/vulnerability_scanning/corporate/webinars/
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA40105
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/40105/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=40105
RELEASE DATE:
2010-06-09
DISCUSS ADVISORY:
http://secunia.com/advisories/40105/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/40105/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=40105
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Apple Safari, which can be
exploited by malicious people to bypass certain security restrictions,
disclose sensitive information, conduct spoofing or cross-site
scripting attacks, and potentially compromise a user's system.
1) An error when processing ColorSync profiles embedded in a
specially crafted image can be exploited to potentially execute
arbitrary code.
This is related to vulnerability #2 in:
SA36096
2) The browser follows links containing arbitrary user information
without warning, which can be exploited to facilitate phishing
attacks via specially crafted URLs.
3) A use-after-free error when handling PDF files can be exploited to
potentially execute arbitrary code.
4) An error in WebKit when handling clipboard URLs can be exploited
to disclose sensitive files if a user is tricked into dragging or
pasting links or images to a malicious website.
5) An error in WebKit when a selection from a website is dragged or
pasted into another website can be exploited to potentially execute
arbitrary JavaScript code in the context of the destination website.
6) An error in WebKit when handling UTF-7 encoded text can be
exploited to leave an HTML quoted string unterminated and facilitate
cross-site scripting attacks.
7) An input sanitation error in WebKit when handling Local Storage
and Web SQL databases can be exploited to create database files in
arbitrary directories via directory traversal attacks.
8) A use-after-free error in WebKit when rendering HTML buttons can
be exploited to potentially execute arbitrary code.
9) A use-after-free error in WebKit when handling attribute
manipulations can be exploited to potentially execute arbitrary
code.
10) An error in WebKit when handling HTML document fragments can be
exploited to execute arbitrary JavaScript code in a legitimate
context processing foreign HTML fragments.
11) An error in WebKit when handling keyboard focus can be exploited
to deliver key press events intended for a different frame.
12) An error in WebKit when handling DOM constructor objects can be
exploited to conduct cross-site scripting attacks.
13) A use-after-free error in WebKit when handling the removal of
container elements can be exploited to potentially execute arbitrary
code.
14) A use-after-free error in WebKit when rendering a selection at
the time of a layout change can be exploited to potentially execute
arbitrary code.
15) An error in WebKit when handling ordered list insertions can be
exploited to corrupt memory and potentially execute arbitrary code.
16) An uninitialised memory access error in WebKit when handling
selection changes on form input elements can be exploited to
potentially execute arbitrary code.
17) A use-after-free error in WebKit when handling caption elements
can be exploited to potentially execute arbitrary code.
18) A use-after-free error in WebKit when handling the
":first-letter" pseudo-element in cascading stylesheets can be
exploited to potentially execute arbitrary code.
19) A double-free error in WebKit when handling event listeners in
SVG documents can be exploited to potentially execute arbitrary
code.
20) An uninitialised memory access error in WebKit when handling
"use" elements in SVG documents can be exploited to potentially
execute arbitrary code.
21) A use-after-free error in WebKit when handling SVG documents with
multiple "use" elements can be exploited to potentially execute
arbitrary code.
22) An error in WebKit when handling nested "use" elements in SVG
documents can be exploited to corrupt memory and potentially execute
arbitrary code.
23) A use-after-free error in WebKit when handling CSS run-ins can be
exploited to potentially execute arbitrary code.
24) A use-after-free error in WebKit when handling HTML elements with
custom vertical positioning can be exploited to potentially execute
arbitrary code.
25) An error exists in WebKit when visiting HTTPS websites
redirecting to HTTP websites. This can be exploited to disclose
potentially sensitive information contained in the HTTPS URL by
reading the "Referer" header.
26) An integer truncation error in WebKit when handling TCP requests
can be exploited to pass arbitrary data to arbitrary TCP ports.
27) An error in WebKit when processing connections to IRC ports can
be exploited to send arbitrary data to arbitrary IRC servers.
28) A use-after-free error in WebKit when handling hover events can
be exploited to potentially execute arbitrary code.
29) An error in WebKit can be exploited to read NTLM credentials that
are incorrectly transmitted in plain-text via Man-in-the-Middle (MitM)
attacks.
30) A use-after-free error in WebKit when handling the "removeChild"
DOM method can be exploited to potentially execute arbitrary code.
31) An error in WebKit when handling libxml contexts can be exploited
to potentially execute arbitrary code.
32) An error in WebKit when handling a canvas with an SVG image
pattern can be exploited to load and capture an image from another
website.
33) An error in WebKit when rendering CSS-styled HTML content with
multiple ":after" pseudo-selectors can be exploited to corrupt memory
and potentially execute arbitrary code.
34) An error in WebKit when handling the "src" attribute of a frame
element can be exploited to facilitate cross-site scripting attacks.
35) A use-after-free error in WebKit when handling drag and drop
operations can be exploited to potentially execute arbitrary code.
36) An error in the implementation of the JavaScript "execCommand"
function can be exploited to modify the contents of the clipboard.
37) An error when handling malformed URLs can be exploited to bypass
the same-origin policy and execute arbitrary script code in the
context of a different domain.
38) A use-after-free error in WebKit when handling DOM "Range"
objects can be exploited to potentially execute arbitrary code.
39) A use-after-free error in WebKit when handling the
"Node.normalize()" method can be exploited to potentially execute
arbitrary code.
40) A use-after-free error in WebKit when rendering HTML document
subtrees can be exploited to potentially execute arbitrary code.
41) An error in WebKit when handling HTML content in "textarea"
elements can be exploited to conduct cross-site scripting attacks.
42) An error in WebKit when visiting a website which redirects form
submissions to a redirecting website can be exploited disclose
submitted data.
43) A type checking error in WebKit when handling text nodes can be
exploited to potentially execute arbitrary code.
44) A use-after-free error in WebKit when handling fonts can be
exploited to potentially execute arbitrary code.
45) An error in WebKit when handling HTML tables can be exploited to
trigger an out-of-bounds memory access and potentially execute
arbitrary code.
46) An error in WebKit when handling the CSS ":visited" pseudo-class
can be exploited to disclose visited websites.
SOLUTION:
Update to version 4.1 (available only for Mac OS X v10.4 systems) or
upgrade to version 5.0.
PROVIDED AND/OR DISCOVERED BY:
37) Michal Zalewski
The vendor also credits:
1) Chris Evans of the Google Security Team, and Andrzej Dyjak
2) Abhishek Arya of Google
3) Borja Marcos of Sarenet
4) Eric Seidel of Google
5) Paul Stone of Context Information Security
6) Masahiro Yamada
8) Matthieu Bonetti of Vupen
9) Ralf Philipp Weinmann working with TippingPoint's Zero Day
Initiative
10, 41) Eduardo Vela Nava (sirdarckcat) of Google
11) Michal Zalewski of Google
12) Gianni "gf3" Chiappetta of Runlevel6
13, 15, 16, 18, 19, 20, 21, 23, 43) wushi of team509, working with
TippingPoint's Zero Day Initiative
14) wushi and Z of team509, working with TippingPoint's Zero Day
Initiative
17) regenrecht working with iDefense
22, 31) Aki Helin of OUSPG
24) Ojan Vafai of Google
25) Colin Percival of Tarsnap
28) Dave Bowker
30) Mark Dowd of Azimuth Security
32) Chris Evans of Google
33, 45) wushi of team509
34) Sergey Glazunov
35) kuzzcc, and Skylined of Google Chrome Security Team
38) Yaar Schnitman of Google
39) Mark Dowd
40) James Robinson of Google
42) Marc Worrell of WhatWebWhat
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4196
Michal Zalewski:
http://lcamtuf.blogspot.com/2010/06/safari-tale-of-betrayal-and-revenge.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------