Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.0541 -- [Win][Mac][OSX]
Safari: Multiple Vulnerabilities
11 June 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Safari
Publisher: Apple
Operating System: Mac OS X
Windows XP
Windows Vista
Impact: Execute Arbitrary Code/Commands
Increased Privileges
Cross-site Scripting
Read-only Data Access
Provide Misleading Information
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2009-1718 CVE-2009-1716 CVE-2009-1715
CVE-2009-1714 CVE-2009-1713 CVE-2009-1712
CVE-2009-1711 CVE-2009-1710 CVE-2009-1709
CVE-2009-1708 CVE-2009-1707 CVE-2009-1706
CVE-2009-1705 CVE-2009-1704 CVE-2009-1703
CVE-2009-1702 CVE-2009-1701 CVE-2009-1700
CVE-2009-1699 CVE-2009-1698 CVE-2009-1697
CVE-2009-1696 CVE-2009-1695 CVE-2009-1694
CVE-2009-1693 CVE-2009-1691 CVE-2009-1690
CVE-2009-1689 CVE-2009-1688 CVE-2009-1687
CVE-2009-1686 CVE-2009-1685 CVE-2009-1684
CVE-2009-1682 CVE-2009-1681 CVE-2009-1179
CVE-2009-0946 CVE-2009-0153 CVE-2009-0145
ESB-2009.0144 CVE-2009-0040 CVE-2008-4409
CVE-2008-4231 CVE-2008-4226 CVE-2008-4225
CVE-2008-3632 CVE-2008-3529 CVE-2008-3281
CVE-2008-2321 CVE-2008-2320 CVE-2008-1588
CVE-2006-2783
Ref: ESB-2009.0514
ESB-2009.0513
ESB-2009.0504
ESB-2009.0469
ESB-2009.0459
ESB-2009.0444
ESB-2009.0438
ESB-2009.0425
ESB-2009.0421
ESB-2009.0398
ESB-2009.0381
ESB-2009.0379
ESB-2009.0373
ESB-2009.0260
ESB-2009.0220
ESB-2009.0204
ESB-2008.1065
ESB-2008.1014
ESB-2008.0874
ESB-2008.0861
ESB-2008.0761
ESB-2008.0691
Revision History: June 11 2009: Document number changed from
ESB-2009.0698 to ESB-2009.0541
June 9 2009: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2009-06-08-1 Safari 4.0
Safari 4.0 is now available and addresses the following:
CFNetwork
CVE-ID: CVE-2009-1704
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Downloaded image files may be misidentified as HTML, leading
to JavaScript execution without warning the user
Description: Image files are 'safe' types that, once downloaded, are
displayed by Safari without warning the user. An issue in Safari may
cause it to be unable to identify the file type of certain local
image files. In this case, Safari will examine the content of those
files and may treat them as HTML. If a file contains JavaScript, it
will be executed in the local context. For a downloaded file, this
should not occur without first prompting the user. This issue is
addressed by treating files of unknown type as generic binary data,
and by correctly identifying the image file types known to have this
issue. Credit to Sergio 'shadown' Alvarez of Recurity Labs GmbH for
reporting this issue.
CFNetwork
CVE-ID: CVE-2009-1716
Available for: Windows XP or Vista
Impact: A local user may be able to read the contents of files being
downloaded by other users
Description: CFNetwork creates temporary files insecurely when
downloading. A local user may be able to access another user's files
as they are downloaded, leading to the disclosure of sensitive
information. This update addresses the issue by downloading files to
the user's secure temporary directory location. For Mac OS X systems,
this issue is addressed in Mac OS X v10.5.6. Credit to Billy Rios and
Microsoft Vulnerability Research for reporting this issue.
CoreGraphics
CVE-ID: CVE-2008-2321
Available for: Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: CoreGraphics contains memory corruption issues in the
processing of arguments. Passing untrusted input to CoreGraphics via
an application, such as a web browser, may lead to an unexpected
application termination or arbitrary code execution. This update
addresses the issue through improved bounds checking. For Mac OS X
systems, this issue is addressed in Security Update 2008-005. Credit
to Michal Zalewski of Google Inc. for reporting this issue.
CoreGraphics
CVE-ID: CVE-2009-1705
Available for: Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the handling of
TrueType fonts. An arithmetic issue in the automatic hinting of fonts
may cause memory corruption. Visiting a maliciously crafted website
with embedded fonts may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue through
improved input validation of TrueType font data. This issue does not
affect Mac OS X systems. Credit to Clint Ruoho of Laconic Security
and Tavis Ormandy of Google Security Team for reporting this issue.
CoreGraphics
CVE-ID: CVE-2009-0946
Available for: Windows XP or Vista
Impact: Multiple vulnerabilities in FreeType v2.3.8
Description: Multiple integer overflows exist in FreeType v2.3.8,
that may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issues through improved
bounds checking. These issues do not affect CoreGraphics on Mac OS X
systems. Credit to Tavis Ormandy of the Google Security Team for
reporting these issues.
CoreGraphics
CVE-ID: CVE-2009-0145
Available for: Windows XP or Vista
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues exist in
CoreGraphics' handling of PDF files. Opening a maliciously crafted
PDF file may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issues through
improved bounds and error checking. For Mac OS X v10.5 systems, this
issue is addressed in Mac OS X v10.5.7. For Mac OS X v10.4.11
systems, this issue is addressed in Security Update 2009-002.
CoreGraphics
CVE-ID: CVE-2009-1179
Available for: Windows XP or Vista
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow exists in CoreGraphics' handling of
PDF files containing JBIG2 streams. Opening a PDF file containing a
maliciously crafted JBIG2 stream may lead to an unexpected
application termination or arbitrary code execution. This update
addresses the issue through improved bounds checking. Credit to Will
Dormann of CERT/CC for reporting this issue.
ImageIO
CVE-ID: CVE-2009-0040
Available for: Windows XP or Vista
Impact: Processing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized pointer issue exists in the handling
of PNG images. Processing a maliciously crafted PNG image may lead to
an unexpected application termination or arbitrary code execution.
This update addresses the issue by performing additional validation
of PNG images. Credit to Tavis Ormandy of the Google Security Team
for reporting this issue.
International Components for Unicode
CVE-ID: CVE-2009-0153
Available for: Windows XP or Vista
Impact: Maliciously crafted content may bypass website filters and
result in cross-site scripting
Description: An implementation issue exists in ICU's handling of
certain character encodings. Using ICU to convert invalid byte
sequences to Unicode may result in over-consumption, where trailing
bytes are considered part of the original character. This may be
leveraged by an attacker to bypass filters on websites that attempt
to mitigate cross-site scripting. This update addresses the issue
through improved handling of invalid byte sequences. For Mac OS X
v10.5 systems, this issue is addressed in Mac OS X v10.5.7. Credit to
Chris Weber of Casaba Security for reporting this issue.
libxml
CVE-ID: CVE-2008-3281, CVE-2008-3529, CVE-2008-4409, CVE-2008-4225,
CVE-2008-4226
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Multiple vulnerabilities in libxml2 version 2.6.16
Description: Multiple vulnerabilities exist in libxml2 version
2.6.16, the most serious of which may lead to an unexpected
application termination or arbitrary code execution. On Windows, the
issues are addressed by updating libxml2 to version 2.7.3. On Mac OS
X v10.4.11 and Mac OS X v10.5.7, the issues are addressed by applying
the relevant patches.
Safari
CVE-ID: CVE-2009-1682
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a website with a revoked EV certificate may not
display a certificate warning
Description: An issue in Safari's handling of Extended Validation
(EV) certificates may cause the revocation checking to be bypassed.
This would allow a page to be loaded without issuing a warning for a
revoked EV certificate. This update addresses the issue through
improved revocation checking for EV certificates. Credit to Bruce
Morton for reporting this issue.
Safari
CVE-ID: CVE-2009-1706
Available for: Windows XP or Vista
Impact: Cookies set during a private browsing session may remain
after private browsing ends
Description: Safari's Private Browsing feature is designed to allow
users to browse without leaving evidence of the browser session on
disk. An implementation issue in Private Browsing may cause cookies
to remain on disk after Private Browsing ends. This may result in an
unexpected disclosure of sensitive information. This update addresses
the issue by removing cookies from the alternate cookie store when
private browsing is disabled, or Safari quits. This issue does not
affect Mac OS X systems. Credit to Michael Hay of Beatnik Monkey
Software for reporting this issue.
Safari
CVE-ID: CVE-2009-1707
Available for: Windows XP or Vista
Impact: "Reset Safari" may not immediately remove website passwords
from memory
Description: After clicking the "Reset" button for "Reset saved
names and passwords" in the "Reset Safari..." menu option, Safari may
take up to 30 seconds to clear the passwords. A user with access to
the system in that time window may be able to access the stored
credentials. This issue is addressed by resolving the race condition
that leads to the delay. This issue does not affect Mac OS X systems.
Credit to Philippe Couturier of izypage.com, and Andrew Wellington of
The Australian National University for reporting this issue.
Safari
CVE-ID: CVE-2009-1708
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to the
disclosure of local file content or arbitrary code execution
Description: An issue in Safari's open-help-anchor URL handler may
allow a maliciously crafted website to open local help files. This
may lead to the disclosure of sensitive information or arbitrary code
execution. This update addresses the issue by preventing remote sites
from calling the open-help-anchor URL handler. Credit to Billy Rios
and Microsoft Vulnerability Research for reporting this issue.
Safari Windows Installer
Available for: Windows XP or Vista
Impact: Safari may run with elevated privileges
Description: The Safari installer includes a checkbox to launch
Safari immediately after installation. If this checkbox is checked,
the compression method in the installer will cause Safari to run with
elevated privileges for its initial launch. The issue is addressed by
using a different compression method in the installer. This issue
does not affect Mac OS X systems. Credit to Dave English of Lutnos
for reporting this issue.
WebKit
CVE-ID: CVE-2006-2783
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: WebKit ignores Unicode byte order mark sequences when
parsing web pages. Certain websites and web content filters attempt
to sanitize input by blocking specific HTML tags. This approach to
filtering may be bypassed and lead to cross-site scripting when
encountering maliciously-crafted HTML tags containing byte order mark
sequences. This update addresses the issue through improved handling
of byte order mark sequences. Credit to Chris Weber of Casaba
Security, LLC for reporting this issue.
WebKit
CVE-ID: CVE-2008-1588
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Unicode ideographic spaces may be used to spoof a website
Description: When Safari displays the current URL in the address
bar, Unicode ideographic spaces are rendered. This allows a
maliciously crafted website to direct the user to a spoofed site that
visually appears to be a legitimate domain. This update addresses the
issue by not rendering Unicode ideographic spaces in the address bar.
WebKit
CVE-ID: CVE-2008-2320
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling
of invalid color strings in CSS. Visiting a maliciously crafted
website may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue through
improved handling of color strings. Credit to Thomas Raffetseder of
the International Secure Systems Lab for reporting this issue.
WebKit
CVE-ID: CVE-2008-3632
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use-after-free issue exists in WebKit's handling of
'@import' statements within Cascading Style Sheets. Visiting a
maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This update addresses the
issue through improved handling of style sheets. Credit to Dean
McNamee of Google Inc. for reporting this issue.
WebKit
CVE-ID: CVE-2008-4231
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue exists in WebKit's
handling of HTML tables. Visiting a maliciously crafted website may
lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through proper
initialization of the internal representation of HTML tables. Credit
to Haifei Li of Fortinet's FortiGuard Global Security Research Team
for reporting this issue.
WebKit
CVE-ID: CVE-2009-1681
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Interacting with a maliciously crafted website may result in
unexpected actions on other sites
Description: A design issue exists in the same-origin policy
mechanism used to limit interactions between websites. This policy
allows websites to load pages from third-party websites into a
subframe. This frame may be positioned to entice the user to click a
particular element within the frame, an attack referred to as
"clickjacking". A maliciously crafted website may be able to
manipulate a user into taking an unexpected action, such as
initiating a purchase. This update addresses the issue through
adoption of the industry-standard 'X-Frame-Options' extension header,
that allows individual web pages to opt out of being displayed within
a subframe.
WebKit
CVE-ID: CVE-2009-1684
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may result in cross-
site scripting
Description: A cross-site scripting issue exists in the separation
of JavaScript contexts. A maliciously crafted web page may use an
event handler to execute a script in the security context of the next
web page that is loaded in its window or frame. This update addresses
the issue by ensuring that event handlers are not able to directly
affect an in-progress page transition. Credit to Michal Zalewski of
Google Inc. for reporting this issue.
WebKit
CVE-ID: CVE-2009-1685
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may result in cross-
site scripting
Description: A cross-site scripting issue exists in the separation
of JavaScript contexts. By enticing a user to visit a maliciously
crafted web page, the attacker may overwrite the
'document.implementation' of an embedded or parent document served
from a different security zone. This update addresses the issue by
ensuring that changes to 'document.implementation' do not affect
other documents. Credit to Dean McNamee of Google Inc. for reporting
this issue.
WebKit
CVE-ID: CVE-2009-1686
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: A type conversion issue exists in WebKit's JavaScript
exception handling. When an attempt is made to assign the exception
to a variable that is declared as a constant, an object is cast to an
invalid type, causing memory corruption. Visiting a maliciously
crafted website may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue by ensuring
that assignment in a const declaration writes to the variable object.
Credit to Jesse Ruderman of Mozilla Corporation for reporting this
issue.
WebKit
CVE-ID: CVE-2009-1687
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's JavaScript
garbage collector. If an allocation fails, a memory write to an
offset of a NULL pointer may result, leading to an unexpected
application termination or arbitrary code execution. This update
addresses the issue by checking for allocation failure. Credit to
SkyLined of Google Inc. for reporting this issue.
WebKit
CVE-ID: CVE-2009-1688
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may result in cross-
site scripting
Description: WebKit does not use the HTML 5 standard method to
determine the security context associated with a given script. An
implementation issue in WebKit's method may result in a cross-site
scripting attack under certain conditions. This update addresses the
issue by using the standards-compliant method to determine the
security context associated with a script. Credit to Adam Barth of UC
Berkeley, and Collin Jackson of Stanford University for reporting
this issue.
WebKit
CVE-ID: CVE-2009-1689
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may result in a
cross-site scripting attack
Description: A cross-site scripting issue exists in WebKit. A
maliciously crafted website containing a form submitted to
'about:blank' may synchronously replace the document's security
context, allowing currently-executing scripts to run in the new
security context. This update addresses the issue through improved
handling of cross-site interaction with form submission. Credit to
Adam Barth of UC Berkeley, and Collin Jackson of Stanford University
for reporting this issue.
Webkit
CVE-ID: CVE-2009-1690
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may result in an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling
of recursion in certain DOM event handlers. Visiting a maliciously
crafted website may lead to an unexpected application termination or
arbitrary code execution. This update addresses the issue through
improved memory management. Credit to SkyLined of Google Inc, and
wushi & ling of team509 working with Verisign iDefense VCP for
reporting this issue.
WebKit
CVE-ID: CVE-2009-1691
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to cross-
site scripting
Description: A cross-site scripting issue in Safari allows a
maliciously crafted website to alter standard JavaScript prototypes
of websites served from a different domain. By enticing a user to
visit a maliciously crafted web page, an attacker may be able to
alter the execution of JavaScript served from other websites. This
update addresses the issue through improved access controls on these
prototypes.
WebKit
CVE-ID: CVE-2009-1693
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may disclose images
from other sites
Description: A cross-site image capture issue exists in WebKit. By
using a canvas with an SVG image, a maliciously crafted website may
load and capture an image from another website. This update addresses
the issue by restricting the reading of canvases that have images
loaded from other websites. Credit to Chris Evans of Google Inc. for
reporting this issue.
WebKit
CVE-ID: CVE-2009-1694
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may disclose images
from other sites
Description: A cross-site image capture issue exists in WebKit. By
using a canvas and a redirect, a maliciously crafted website may load
and capture an image from another website. This update addresses the
issue through improved handling of redirects. Credit to Chris Evans
of for reporting this issue.
WebKit
CVE-ID: CVE-2009-1695
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may result in a
cross-site scripting attack
Description: An issue in WebKit allows the contents of a frame to be
accessed by an HTML document after a page transition has taken place.
This may allow a maliciously crafted website to perform a cross-site
scripting attack. This update addresses the issue through an improved
domain check. Credit to Feng Qian of Google Inc. for reporting this
issue.
WebKit
CVE-ID: CVE-2009-1696
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Websites may surreptitiously track users
Description: Safari generates random numbers for JavaScript
applications using a predictable algorithm. This could allow a
website to track a particular Safari session without using cookies,
hidden form elements, IP addresses, or other techniques. This update
addresses the issue by using a better random number generator. Credit
to Amit Klein of Trusteer for reporting this issue.
WebKit
CVE-ID: CVE-2009-1697
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may result in a
cross-site scripting attack
Description: A CRLF injection issue exists in the handling of
XMLHttpRequest headers in WebKit. This may allow a maliciously
crafted website to bypass the same-origin policy by issuing an
XMLHttpRequest that does not contain a Host header. XMLHttpRequests
without a Host header may reach other websites on the same server,
and allow attacker-supplied JavaScript to interact with those sites.
This update addresses the issue through improved handling of
XMLHttpRequest headers. Credit to Per von Zweigbergk for reporting
this issue.
WebKit
CVE-ID: CVE-2009-1698
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized pointer issue exists in the handling
of the CSS 'attr' function. Viewing a maliciously crafted web page
may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through additional
validation of CSS elements. Credit to Thierry Zoller working with
TippingPoint's Zero Day Initiative, and Robert Swiecki of the Google
Security Team for reporting this as a security issue.
WebKit
CVE-ID: CVE-2009-1699
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may result in an
information disclosure
Description: An XML External Entity issue exists in WebKit's
handling of XML. A maliciously crafted website may be able to read
files from the user's system. This update addresses the issue by not
loading external entities across origins. Credit to Chris Evans of
Google Inc. for reporting this issue.
WebKit
CVE-ID: CVE-2009-1700
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may result in the
disclosure of sensitive information
Description: WebKit does not properly handle redirects when
processing Extensible Stylesheet Language Transformations (XSLT).
This allows a maliciously crafted website to retrieve XML content
from pages on other websites, which could result in the disclosure of
sensitive information. This update addresses the issue by ensuring
that documents referenced in transformations are downloaded from the
same domain as the transformation itself. Credit to Chris Evans of
Google for reporting this issue.
WebKit
CVE-ID: CVE-2009-1701
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use-after-free issue exists in WebKit's handling of
the JavaScript DOM. Visiting a maliciously crafted website may lead
to an unexpected application termination or arbitrary code execution.
This update addresses the issue through improved handling of document
elements. Credit to wushi & ling of team509 working with
TippingPoint's Zero Day Initiative for reporting this issue.
WebKit
CVE-ID: CVE-2009-1702
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: An issue in WebKit's handling of Location and History
objects may result in a cross-site scripting attack when visiting a
maliciously crafted website. This update addresses the issue through
improved handling of Location and History objects. Credit to Adam
Barth and Joel Weinberger of UC Berkeley for reporting this issue.
WebKit
CVE-ID: CVE-2009-1703
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to
information disclosure
Description: WebKit's handling of audio and video HTML elements
allows a remote website to reference local "file:" URLs. A
maliciously crafted website could perform file existence checking,
which may lead to information disclosure. This update addresses the
issue through improved handling of audio and video elements. Credit
to Dino Dai Zovi for reporting this issue.
WebKit
CVE-ID: CVE-2009-1709
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A use-after-free issue exists in WebKit's handling of
SVG animation elements. Visiting a maliciously crafted website may
lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved handling
of caches. Credit to an anonymous researcher working with
TippingPoint's Zero Day Initiative for reporting this issue.
WebKit
CVE-ID: CVE-2009-1710
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: A maliciously crafted website may spoof browser UI elements
Description: By specifying a large and mostly transparent custom
cursor, and adjusting the CSS3 hotspot property, a maliciously
crafted website may spoof browser UI elements, such as the host name
and security indicators. This update addresses the issue through
additional restriction on custom cursors. Credit to Dean McNamee of
Google for reporting this issue
WebKit
CVE-ID: CVE-2009-1711
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue exists in WebKit's
handling of Attr DOM objects. Visiting a maliciously crafted website
may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved
validation of DOM objects. Credit to Feng Qian of Google Inc. for
reporting this issue.
Webkit
CVE-ID: CVE-2009-1712
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to
information disclosure or arbitrary code execution
Description: WebKit allows remote websites to load Java applets from
the local system. Local applets may not expect to be loaded remotely
and may allow the remote site to execute arbitrary code or otherwise
grant unexpected privileges to the remote site. This update addresses
the issue by preventing remote websites from loading local applets.
WebKit
CVE-ID: CVE-2009-1713
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may result in an
information disclosure
Description: An information disclosure issue exists in WebKit's
implementation of the document() function used in XSLT documents. A
maliciously crafted website may be able to read files from other
security zones, including the user's system. This update addresses
the issue by preventing the loading of resources across origins.
Credit to Chris Evans of Google for reporting this issue.
WebKit
CVE-ID: CVE-2009-1714
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Using Web Inspector on a maliciously crafted website may
result in cross-site scripting
Description: An issue in Web Inspector allows a page being inspected
to run injected script with elevated privileges, including the
ability to read the user's file system. This update addresses the
issue by proper escaping of HTML attributes. Credit to Pengsu Cheng
of Wuhan University for reporting this issue.
WebKit
CVE-ID: CVE-2009-1715
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Using Web Inspector on a maliciously crafted website may
result in cross-site scripting
Description: An issue in Web Inspector allows a page being inspected
to run injected script with elevated privileges, including the
ability to read the user's file system. This update addresses the
issue by executing scripts with the privileges of the web page being
inspected. Credit to Collin Jackson of Stanford University, and Adam
Barth of UC Berkeley for reporting this issue.
WebKit
CVE-ID: CVE-2009-1718
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Dragging content over a maliciously crafted web page may
lead to information disclosure
Description: An issue exists in WebKit's handling of drag events.
This may lead to the disclosure of sensitive information when content
is dragged over a maliciously crafted web page. This update addresses
the issue through improved handling of drag events. Credit to Eric
Seidel of Google, Inc. for reporting this issue.
Safari 4.0 is available via the Apple Software Update application,
or Apple's Safari download site at:
http://www.apple.com/safari/download/
Safari for Mac OS X v10.5.7
The download file is named: Safari4.0Leo.dmg
Its SHA-1 digest is: 9b18e8dad3b3acd91b7d4208f295422bf8e735ed
Safari for Mac OS X v10.4.11
The download file is named: Safari4.0Ti.dmg
Its SHA-1 digest is: c5298f24aa9c824a930ba3656487687630d2420a
Safari for Windows XP or Vista
The download file is named: SafariSetup.exe
Its SHA-1 digest is: 46951d6c13bf847a54d033cec2cdf3383e31d1e1
Safari+QuickTime for Windows XP or Vista
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: 6c421eb66d521dd03744f76c7e44a40d132379fc
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
iQEbBAEBAgAGBQJKLTKpAAoJEHkodeiKZIkBUkgH9igCqzTyuMFv3zfMotvYHBvD
Zcd1VlGjaNI8vp/+igUONuXS1xoIrr5uQDl52w0DXHzH1qQJFWTt+SRqen69hjWe
y+d+T8oNC7JvAsWOGDK7SMF7JNt7nl0/wI/VLxKUWBdEGWeovmbe4sUd3uEw+qh9
uVzOqLPVR1K+B2/DyCw4M+o7Fo8KXa/fcesutW8VYzR4avDKfm2iDmCaGhsA4xBe
A5Lx9MRxLpgxebbU9H4Ka8NELRH81BhPLrn+QlMBMvKVkv+MdpZ7oKDrBkwkB4KH
L71i7QMSxIlglXI78PIG6u67asRSY1SGsTZrDZbFhSBRfmgxkpd5eEAu8YjlHw==
=szJh
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFKMGPaNVH5XJJInbgRApi7AJsHva7yJe39zsfXQlvppsw+2w1GQACfRQsr
AvzCJ1Hmn1gFjFmgMKh0rnY=
=9UsW
-----END PGP SIGNATURE-----