Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1502
Safari 6.1
23 October 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Safari
Publisher: Apple
Operating System: OS X
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2013-5131 CVE-2013-5130 CVE-2013-5129
CVE-2013-5128 CVE-2013-5127 CVE-2013-5126
CVE-2013-5125 CVE-2013-2848 CVE-2013-2842
CVE-2013-1047 CVE-2013-1046 CVE-2013-1045
CVE-2013-1044 CVE-2013-1043 CVE-2013-1042
CVE-2013-1041 CVE-2013-1040 CVE-2013-1039
CVE-2013-1038 CVE-2013-1037 CVE-2013-1036
Reference: ASB-2013.0066
ESB-2013.1327
ESB-2013.1307
ESB-2013.0750
Original Bulletin:
http://support.apple.com/kb/HT1222
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2013-10-22-2 Safari 6.1
Safari 6.1 is now available and addresses the following:
Safari
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
XML files. This issue was addressed through additional bounds
checking.
CVE-ID
CVE-2013-1036 : Kai Lu of Fortinet's FortiGuard Labs
WebKit
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.3
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-1037 : Google Chrome Security Team
CVE-2013-1038 : Google Chrome Security Team
CVE-2013-1039 : own-hero Research working with iDefense VCP
CVE-2013-1040 : Google Chrome Security Team
CVE-2013-1041 : Google Chrome Security Team
CVE-2013-1042 : Google Chrome Security Team
CVE-2013-1043 : Google Chrome Security Team
CVE-2013-1044 : Apple
CVE-2013-1045 : Google Chrome Security Team
CVE-2013-1046 : Google Chrome Security Team
CVE-2013-1047 : miaubiz
CVE-2013-2842 : Cyril Cattiaux
CVE-2013-5125 : Google Chrome Security Team
CVE-2013-5126 : Apple
CVE-2013-5127 : Google Chrome Security Team
CVE-2013-5128 : Apple
WebKit
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5
Impact: Visiting a maliciously crafted website may lead to an
information disclosure
Description: An information disclosure issue existed in XSSAuditor.
This issue was addressed through improved handling of URLs.
CVE-ID
CVE-2013-2848 : Egor Homakov
WebKit
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5
Impact: Dragging or pasting a selection may lead to a cross-site
scripting attack
Description: Dragging or pasting a selection from one site to
another may allow scripts contained in the selection to be executed
in the context of the new site. This issue is addressed through
additional validation of content before a paste or a drag and drop
operation.
CVE-ID
CVE-2013-5129 : Mario Heiderich
WebKit
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5
Impact: Using the Web Inspector disabled Private Browsing
Description: Using the Web Inspector disabled Private Browsing
without warning. This issue was addressed by improved state
management.
CVE-ID
CVE-2013-5130 : Laszlo Varady of Eotvos Lorand University
WebKit
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-site scripting issue existed in the handling of
URLs. This issue was addressed through improved origin tracking.
CVE-ID
CVE-2013-5131 : Erling A Ellingsen
Note: OS X Mavericks includes these fixes with Safari 7.0.
For OS X Lion systems Safari 6.1 is available via the Apple Software
Update application.
For OS X Mountain Lion systems Safari 6.1 may be obtained from
Mac App Store.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJSZuM/AAoJEPefwLHPlZEwEV0QAIUZosSYK5Dd4lFyqmmMP5pm
8E3WupQCcPMwcJVIRbSbijwpIqM0ewZ7TykoeC4OBDnbDJPMxn6tQze1vSWa+5Yh
IUBaITcwMOEdBlQmX6OEkq6PhnPbsmZLJXRoTvNM0WszdAdF1d9v0SQywp71Yv3T
OmFfJObcKmAXp4I0BCV+1CnpBEAhu16hMgpPuiolGLU0D5xa6mb1VIWtqiHrOlx2
trcga4MZQyvaOMFPIxSKdn/K5QDgiG2btEmRABjkBReX6wAAOGIIVKNq8KbU9cfu
M15+sy3X+nXttwgz0GY69mByQchUGbL+P0ybO9YUh31cS7Rq5IrdKIw3hWDnrrdd
WFDFhZTE55SVpuiA9AoO4DQkXcT1Urc/dzf4Rp8Vn790+jauDHpv3Q8eBh4Ndl1w
fFX/Y7n68Uw+4/cAqJwXZ5aEgxYiD/HKeRcHPdoIJe/7aWPcQn7//xlKkXUCcTCy
KCBDKdP79EX20y/A+eMaHiiE0AvK7gjmlJ/s4QvFxBI00rlg2RbZk8rT3xnA5gA1
UuFyVNJPHObt2KGtgkhcHG1E3UO4Z56rWRObihdma6QcEzTV7063eGKWRb+kZbbW
BiONRJuJUlUg4+o0NrpctTkMntl11a+tyvSXwlCTJT0YnYZp3Os935uJfVTOFoZv
sVJOGqC0Zl566dHZslQ3
=q5CI
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUmcyGxLndAQH1ShLAQJ1Dg//XjhSfqiiDAbOmPD1WrBQr9YCcf7jDvK2
wwjED3dk4z5y59Q7VbIcoKjvgGjwk0Hopkwy+Y2bYiZC1coNdJ91kyzPwlsTlWB2
Y0BaZ2gRuMgtLqazkmswco1l84I6YbSxORvtAiMLLxbzALoQ+wNvMdwH1LGMwXoY
ZFYi67kgQQ4CP/BiLSejDsKM1PxfyXzS/EtjHocn0J1OO+BEWrCW8pJAbUiwXY2R
XtXnTHsluCR3S7RAuglRIzVEOEOg4UKzBSOxq6IRhLXHYkgCNqVKzUFXRyvEPncF
hQgWnbilgCbf9fJCn81wV0erY8WPwoxux8Nxk85ICVmiioA9wTNMryUKH+lDQIel
kDMEnpWyFdBvGjpuy84h8ZW1YHG75ZkE1JKqttjTAhxo3hYtUU6Ku77ZKP9A93V9
/A1jih838wEho06dQBXh/mNZCJokbkHMzABVcOYvj9aHwQsTXhNrrQRkMusBJixG
h/5EumuAJR+JTwWtcgPQT7ABtyli17FENwoTNZgLITQUmJiUnmTbCrHL2SR6sDf8
h2RWo0VRF2ImScjOa2YsBQ8PqSRDZz4y+US7Mngzk9PIddjmkQ/Ut5T/OwkJrykj
NVRiBr4KLyNQT7sxoCBqtzYVyofXSdBit3EhlrRtj9/6a3ylXITq7PtRzUwqk5PZ
+JtzAY1ry10=
=+4Pa
-----END PGP SIGNATURE-----