---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. Join the beta: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Apple Safari Multiple Vulnerabilities SECUNIA ADVISORY ID: SA42264 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42264/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42264 RELEASE DATE: 2010-11-19 DISCUSS ADVISORY: http://secunia.com/advisories/42264/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42264/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42264 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities and weaknesses have been reported in Apple Safari, which can be exploited by malicious people to bypass certain security restrictions, conduct spoofing attacks, or compromise a user's system. 1) An integer overflow error in the handling of strings can be exploited to corrupt memory and potentially execute arbitrary code. 2) A weakness in the random number generator for JavaScript applications can be exploited to e.g. track users. 3) Multiple vulnerabilities in WebKit can be exploited by malicious people to compromise a user's system. For more information: SA41328 4) An integer underflow error in the handling of WebSockets can be exploited to corrupt memory and potentially execute arbitrary code. 5) An unspecified error in the handling of images created from "canvas" elements can be exploited to conduct cross-origin image thefts. This is related to vulnerability #12 in: SA41242 6) An invalid cast in the handling of editing commands can potentially be exploited to execute arbitrary code. 7) An invalid cast in the handling of inline styling can potentially be exploited to execute arbitrary code. 8) An error within the handling of the History object can be exploited to spoof the address in the location bar or add arbitrary locations to the history. 9) A use-after-free error in the handling of element attributes can be exploited to corrupt memory and potentially execute arbitrary code. 10) An integer overflow error in the handling of Text objects can be exploited to corrupt memory and potentially execute arbitrary code. 11) A weakness is caused due to WebKit performing DNS prefetching for HTML Link elements even when it is disabled. 12) Multiple use-after-free errors in the handling of plugins can be exploited to corrupt memory and potentially execute arbitrary code. This is related to vulnerability #5 in: SA41014 13) A use-after-free error in the handling of element focus can be exploited to corrupt memory and potentially execute arbitrary code. This is related to vulnerability #10 in: SA41242 14) A use-after-free error in the handling of scrollbars can be exploited to corrupt memory and potentially execute arbitrary code. 15) An invalid cast in the handling of CSS 3D transforms can potentially be exploited to execute arbitrary code. 16) A use-after-free error in the handling of inline text boxes can be exploited to corrupt memory and potentially execute arbitrary code. 17) An invalid cast in the handling of CSS boxes can potentially be exploited to execute arbitrary code. 18) An unspecified error in the handling of editable elements can be exploited to trigger an access of uninitialised memory and potentially execute arbitrary code. 19) An unspecified error in the handling of the ':first-letter' pseudo-element in cascading stylesheets can be exploited to corrupt memory and potentially execute arbitrary code. 20) An uninitialised pointer error in the handling of CSS counter styles can potentially be exploited to execute arbitrary code. 21) A use-after-free error in the handling of Geolocation objects can be exploited to corrupt memory and potentially execute arbitrary code. 22) A use-after-free error in the handling of "use" elements in SVG documents can be exploited to corrupt memory and potentially execute arbitrary code. 23) An invalid cast in the handling of SVG elements in non-SVG documents can potentially be exploited to execute arbitrary code. This is related to vulnerability #2 in: SA41443 24) An invalid cast in the handling of colors in SVG documents can potentially be exploited to execute arbitrary code. SOLUTION: Update to Safari 5.0.3 (Mac OS X 10.5.8, Mac OS X 10.6.4 or later, Windows 7, Vista, XP) or Safari 4.1.3 (Mac OS X 10.4.11). PROVIDED AND/OR DISCOVERED BY: 2) Amit Klein, Trusteer The vendor credits: 1, 10) J23 3) Jose A. Vazquez of spa-s3c.blogspot.com, Csaba Osztrogonac of University of Szeged, and also thabermann and chipplyman 4) Keith Campbell, and Cris Neckar, Google Chrome Security Team 5) Isaac Dawson, and James Qiu, Microsoft and Microsoft Vulnerability Research (MSVR) 6, 22, 23) wushi, team509 7, 15 - 17, 19, 24) Abhishek Arya (Inferno), Google Chrome Security Team 8) Mike Taylor, Opera Software 9) Michal Zalewski 11) Jeff Johnson, Rogue Amoeba Software 13) Vupen 14) Rohit Makasana, Google Inc. 20, 21) kuzzcc ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4455 Trusteer: http://www.trusteer.com/sites/default/files/Temporary_User_Tracking_in_Major_Browsers.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------