Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1802 Safari 6.1.1 and Safari 7.0.1 17 December 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Safari Publisher: Apple Operating System: OS X Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2013-5228 CVE-2013-5227 CVE-2013-5225 CVE-2013-5199 CVE-2013-5198 CVE-2013-5197 CVE-2013-5196 CVE-2013-5195 CVE-2013-2909 Reference: ASB-2013.0110 ESB-2013.1530 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-12-16-1 Safari 6.1.1 and Safari 7.0.1 Safari 6.1.1 and Safari 7.0.1 are now available and address the following: Safari Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9 Impact: User credentials may be disclosed to an unexpected site via autofill Description: Safari may have autofilled user names and passwords into a subframe from a different domain than the main frame. This issue was addressed through improved origin tracking. CVE-ID CVE-2013-5227 : Niklas Malmgren of Klarna AB WebKit Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2013-2909 : Atte Kettunen of OUSPG CVE-2013-5195 : Apple CVE-2013-5196 : Google Chrome Security Team CVE-2013-5197 : Google Chrome Security Team CVE-2013-5198 : Apple CVE-2013-5199 : Apple CVE-2013-5225 : Google Chrome Security Team CVE-2013-5228 : Keen Team (@K33nTeam) working with HP's Zero Day Initiative For OS X Mavericks systems, Safari 7.0.1 will be included in OS X Mavericks 10.9.1. For OS X Mountain Lion systems Safari 6.1 may be obtained from Mac App Store. For OS X Lion systems Safari 6.1 is available via the Apple Software Update application. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJSr0zmAAoJEPefwLHPlZEwb4oP/AwH5IgQlOh/lJgr5PVxS8uv 5hVhjfokGe59RTsuDT2q08VmP16oI/Vajrmh1jDRWv7O6eH0UY+AEj1+ePgWzTP6 sL8Dqft5cVo4R0gDtwE1x9/uD5qM9zZWdYooMifCA6V0epjZLc/3My0dw3y3OFSR 0NlB4lD4cjQ4if+5UrdT7P1yvKxMred7/iZkmMPrQxqyuF9kNHL34tx4C/dCfoYm 6MQuh/mkeRMKxEsgaJc+RSBB5KGRU86kEHbg5Aq2rWi6IhWiZ/8MByd0S5LofPOL G34ObAicWpGG6wA/6Os6Xt1EgtOuE7R/K27wZO18VmVEAaaKXMQ+QG8+FdTRdLpE twvUkGRcHXsi8En3Vh/9nva4Dst9tohBGdAY0mOANLpiwrdMpwMTQePz9g4aehDH oGbHU9yok4uoZXAYXYPMUr6grmUSHrfP4dveAavVYuauRi1sTGZps5TTjkaXmla4 QU02YJ3TLEy/qMRdtPjpiRx22NMKghXJ7P9qjDJYyXFclnQ9kL28sMP98MFwcmlL dhYFhH1V37KfVp/N4MQtxlA3gLLmc/WLmkp8M3VL4F+KlbRDvX9AwygG7GqQY584 jBXwyllVT1JYBFAkMz7LfiI8WxrASj4fMB7hZ5ZErpSUgjf4d0c43PIdm/Brq9O4 ALlOLWBeXRmbJg3VBSjw =fhyS - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUq+l6hLndAQH1ShLAQL9YRAAjjBBy+qiOUYhngcek612DwtSRHoPxW0f WAPivc0LFzRiXHlH/ii3IjsD1zsxQ5YIN0O2T1q/uZ3x0DkfqjF3nbb7MSFWZ7Ep MZubUjuQ41ybEvHUN1Sx4dGynoZUyR2iNGBGaQyGIpFNCCDw0GLloVSFnilQyZWz Mgy/JUEOtZfw7TrV2ihuL8ntcVljfoT3H6Cg7NSGS82w3TGjnMLzatZBbiRjxPrc OxQkdp5KRn9V6fOH2mIWG4SW/2ySw4yj8AH1FfEcjyxQQHbosigIkdumxxz6Fydn ptDsRRr30eTeBcTEdG0RWkABq8tS8/hTyhQKjOoT7UYPIc1eshE2fqcFjYa5NdPx CmP1pQmLNwF9wbXMItLmsXc5ey3PPJRoqupWaePEz9LGE0Kn9D8RQRZzbgKPVM37 uHPmXBgVIqbKMQhpmjMlcxx4PtoMAEcrm7dbzGaR5iUQdKTBGtB/dFpVKJjRgIwx U8VUxt0sSaPwPlGpn8gXT/7JdeqmTYeCC/DbPCESibUYGGZ60ImWE25EBM+dPzfn 1BmfBZAYduHD84FfhuvScus2M7nVPM/QnAM/i3T1qWgfZ0MSx/m5ccPK0So9Vxbm dbSdD+C2ihE9cZNFhKeObVWQu+dmaQEynR8tWIWGF0vSYsoNs8XckFzsodEU0G5R CfuqsaRGGY0= =nRwb -----END PGP SIGNATURE-----