Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0288 -- [Win][OSX] Safari 3.1 Released 19 March 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Safari Publisher: Apple Operating System: Windows Mac OS X Impact: Execute Arbitrary Code/Commands Provide Misleading Information Cross-site Scripting Access: Remote/Unauthenticated CVE Names: CVE-2008-1011 CVE-2008-1010 CVE-2008-1009 CVE-2008-1008 CVE-2008-1007 CVE-2008-1006 CVE-2008-1005 CVE-2008-1004 CVE-2008-1003 CVE-2008-1002 CVE-2008-1001 CVE-2008-0050 CVE-2007-4680 Ref: ESB-2007.0913 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2008-03-18 Safari 3.1 Safari 3.1 is now available and addresses the following issues: Safari CVE-ID: CVE-2007-4680 Available for: Windows XP or Vista Impact: A remote attacker may be able to cause an untrusted certificate to appear trusted Description: An issue exists in the validation of certificates. A man-in-the-middle attacker may be able to direct the user to a legitimate site with a valid SSL certificate, then re-direct the user to a spoofed web site that incorrectly appears to be trusted. This could allow user credentials or other information to be collected. This update addresses the issue through improved validation of certificates. This issue is addressed for Mac OS X in Security Update 2007-008, and is incorporated into Mac OS X v10.4.11 and Mac OS X v10.5 or later. Credit to Marko Karppinen, Petteri Kamppuri, and Nikita Zhuk of MK&C for reporting this issue. Safari CVE-ID: CVE-2008-0050 Available for: Windows XP or Vista Impact: A malicious proxy server may spoof secure websites Description: A malicious HTTPS proxy server may return arbitrary data to CFNetwork in a 502 Bad Gateway error, which could allow a secure website to be spoofed. This update addresses the issue by returning an error on any proxy error, instead of returning the proxy-supplied data. This issue has already been addressed in Mac OS X 10.5.2, and in Security Update 2008-002 for Mac OS X 10.4.11 systems. Safari CVE-ID: CVE-2008-1001 Available for: Windows XP or Vista Impact: Visiting a maliciously crafted website may result in cross- site scripting Description: A cross-site scripting issue exists in Safari's error page. By enticing a user to open a maliciously crafted URL, an attacker may cause the disclosure of sensitive information. This update addresses the issue by performing additional validation of URLs. This issue does not affect Mac OS X systems. Credit to Robert Swiecki of Google Information Security Team for reporting this issue. Safari CVE-ID: CVE-2008-1002 Available for: Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista Impact: Visiting a maliciously crafted website may result in cross- site scripting Description: A cross-site scripting issue exists in the processing of javascript: URLs. Enticing a user to visit a maliciously crafted web page could allow the execution of JavaScript in the context of another site. This update addresses the issue by performing additional validation of javascript: URLs. Credit to Robert Swiecki of Google Information Security Team for reporting this issue. WebCore CVE-ID: CVE-2008-1003 Available for: Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista Impact: Visiting a maliciously crafted website may result in cross- site scripting Description: An issue exists with the handling of web pages that have explicitly set the document.domain property. This could lead to a cross-site scripting attack in sites that set the document.domain property, or between HTTP and HTTPS sites with the same document.domain. This update addresses the issue by improving same- origin checks. Credit to Adam Barth and Collin Jackson of Stanford University for reporting this issue. WebCore CVE-ID: CVE-2008-1004 Available for: Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista Impact: Using Web Inspector on a maliciously crafted website may result in cross-site scripting Description: An issue in Web Inspector allows a page being inspected to escalate its privileges by injecting script that will run in other domains and read the user's file system. This update addresses the issue by preventing Javascript code on remote pages from being run. Credit to Collin Jackson and Adam Barth of Stanford University for reporting this issue. WebCore CVE-ID: CVE-2008-1005 Available for: Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista Impact: Using Kotoeri reverse conversion on a password field displays the password Description: The content of password fields on web pages is normally hidden to guard against disclosing it to others with the ability to see the display. An issue exists with the use of the Kotoeri input method, which could result in exposing the password field content on the display when reverse conversion is requested. This update addresses the issue by no longer exposing the content of password fields when using Kotoeri reverse conversion. WebCore CVE-ID: CVE-2008-1006 Available for: Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista Impact: Visiting a maliciously crafted website may result in cross- site scripting Description: The window.open() function may be used to change the security context of a webpage to the caller's context. Enticing a user to open a maliciously crafted page could allow an arbitrary script to be executed in the user's security context. This update addresses the issue by not allowing the security context to be changed. Credit to Adam Barth and Collin Jackson of Stanford University for reporting this issue. WebCore CVE-ID: CVE-2008-1007 Available for: Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista Impact: Visiting a maliciously crafted website may result in cross- site scripting using Java Description: The frame navigation policy is not enforced for Java applets. By enticing a user to open a maliciously crafted web page, an attacker may obtain elevated privileges through a cross-site scripting attack using Java. This update addresses the issue by enforcing the frame navigation policy for Java applets. Credit to Adam Barth and Collin Jackson of Stanford University for reporting this issue. WebCore CVE-ID: CVE-2008-1008 Available for: Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista Impact: Visiting a maliciously crafted website may result in cross- site scripting Description: A cross-site scripting issue exists in Safari's handling of the document.domain property. Enticing a user to visit a maliciously crafted web page may lead to the disclosure of sensitive information. This update addresses the issue through additional validation of the document.domain property. WebCore CVE-ID: CVE-2008-1009 Available for: Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista Impact: Visiting a maliciously crafted website may result in cross- site scripting Description: A JavaScript injection issue exists in the handling of the history object. This may allow frames to set history object properties in all other frames loaded from the same web page. An attacker may leverage this issue to inject JavaScript that will run in the context of other frames, resulting in cross-site scripting. This update addresses the issue by no longer allowing webpages to alter the history object. WebKit CVE-ID: CVE-2008-1010 Available for: Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow issue exists in WebKit's handling of JavaScript regular expressions. Enticing a user to visit a maliciously crafted webpage may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy and Will Drewry of Google Security Team for reporting this issue. WebKit CVE-ID: CVE-2008-1011 Available for: Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista Impact: Visiting a maliciously crafted website may result in cross- site scripting Description: A cross-site scripting issue in WebKit allows method instances from one frame to be called in the context of another frame. Enticing a user to visit a maliciously crafted web page may lead to the disclosure of sensitive information. This update addresses the issue through improved handling of cross-domain method calls. Credit to David Bloom for reporting this issue. Safari 3.1 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/ Safari for Mac OS X v10.5.2 The download file is named: "Safari31UpdLeo.dmg" Its SHA-1 digest is: db76743014600581d59c1be3b60f2d8edd3defcd Safari for Mac OS X v10.4.11 The download file is named: "Safari31UpdTiger.dmg" Its SHA-1 digest is: 567ef2be9bdba51c2cf86613958599123e5f45f1 Safari for Windows XP or Vista The download file is named: "SafariSetup.exe" Its SHA-1 digest is: 48f9bfd5145be9f8a9307ab3e83674df4799c763 Safari+QuickTime for Windows XP or Vista The file is named: "SafariQuickTimeSetup.exe" Its SHA-1 digest is: 2c35c091ba306ee59a3101f86899a310f55c385f This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Version: 9.7.0.1012 wsBVAwUBR9//t8gAoqu4Rp5tAQiPGAgAqRnKv37i68VRJ4Bzm2Jy42zoRRLl/4oD FxvrkNpAfZ0mAOdJxRCG65V6xFxgvOVlhyAWKFtI/F2dSQi7szdY+3tSlhsXoSE7 h9IXTkW5tal6TNTwG+GPD+C+cP8HEhVpgKLYq0vyBcj/8P8Ohc1XvFdglquZd2yZ o+nqtWQdxhYgaP+uG2c2N5OD3g1d9qYqFIGgAwbvRs1x9LaE4iO2EuysDtHFjIkC SMcUxXorOeXt/aNRQvl16aVEonXgZCQrLBlVa/uCtkOF5H9r3psNb9TiZnBpkdy0 NPkauIK6PLAcr74WSGzA4YjyeafTnKL/fpauGU/zs8LViAgPCP5Y1Q== =BSPj - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR+BcoSh9+71yA2DNAQIX4AP/brINLVLkywc+K4vGhsinL9CDzU0HrMfH PbpOLDzz8NUhzC27GTc0outpaR400++r1P1Al5zT62wm3DQD6wKta7ARVVW3UJG4 NdFN21qJodDgGNyr1kClmFP+AlXejqPZ+6eq6pnd7LVnBjArpdwRsfAd38SxW/vC ws6RGgrUlCg= =qVJi -----END PGP SIGNATURE-----