Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0792 Safari 6.1.4 and Safari 7.0.4 22 May 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Safari Publisher: Apple Operating System: OS X Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-1731 CVE-2014-1346 CVE-2014-1344 CVE-2014-1343 CVE-2014-1342 CVE-2014-1341 CVE-2014-1339 CVE-2014-1338 CVE-2014-1337 CVE-2014-1336 CVE-2014-1335 CVE-2014-1334 CVE-2014-1333 CVE-2014-1331 CVE-2014-1330 CVE-2014-1329 CVE-2014-1327 CVE-2014-1326 CVE-2014-1324 CVE-2014-1323 CVE-2013-2927 CVE-2013-2875 Reference: ASB-2014.0057 ASB-2013.0114 ASB-2013.0083 ESB-2014.0657 ESB-2013.1530 ESB-2013.0994 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-05-21-1 Safari 6.1.4 and Safari 7.0.4 Safari 6.1.4 and Safari 7.0.4 are now available and address the following: WebKit Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.3 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2013-2875 : miaubiz CVE-2013-2927 : cloudfuzzer CVE-2014-1323 : banty CVE-2014-1324 : Google Chrome Security Team CVE-2014-1326 : Apple CVE-2014-1327 : Google Chrome Security Team, Apple CVE-2014-1329 : Google Chrome Security Team CVE-2014-1330 : Google Chrome Security Team CVE-2014-1331 : cloudfuzzer CVE-2014-1333 : Google Chrome Security Team CVE-2014-1334 : Apple CVE-2014-1335 : Google Chrome Security Team CVE-2014-1336 : Apple CVE-2014-1337 : Apple CVE-2014-1338 : Google Chrome Security Team CVE-2014-1339 : Atte Kettunen of OUSPG CVE-2014-1341 : Google Chrome Security Team CVE-2014-1342 : Apple CVE-2014-1343 : Google Chrome Security Team CVE-2014-1344 : Ian Beer of Google Project Zero CVE-2014-1731 : an anonymous member of the Blink development community WebKit Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.3 Impact: A malicious site can send messages to a connected frame or window in a way that might circumvent the receiver's origin check Description: An encoding issue existed in the handling of unicode characters in URLs. A maliciously crafted URL could have led to sending an incorrect postMessage origin. This issue was addressed through improved encoding/decoding. CVE-ID CVE-2014-1346 : Erling Ellingsen of Facebook For OS X Mavericks and OS X Mountain Lion systems, Safari 7.0.4 and Safari 6.1.4 may be obtained from Mac App Store. For OS X Lion systems Safari 6.1.4 is available via the Apple Software Update application. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTe6ELAAoJEBcWfLTuOo7tonoP/igNIR7SZEkRvtHHjHIqR2U5 a28aYgzjkALSYDppREpWPMIovnYKZAONabRMJ0r/3LFyl4juBSOsVyBCbUBg8Fpp GFCsc7x0jva8g1DtPtk/B299GXPBi8fOhEwUIilgTo0+y7ExrgA9wUjCdlWHwPQs Edbra42Q+52KU+NxWjyeJiPkBIy57p5P0XVnnS3tIxRLHxRed9O8GoNUHcwLhihd dV5NOBEUvW5Gy2yEhJLZIa64aPOPG3Rz7EA/0zCRiiusLyIGVdyTaOnL4AlHrgh8 BiiAgx3xFUqYiBqCnxAO3gy3CRWhmKukesDKIPmaV27E0cFQ+FkI990oCh8ZSCZg hi4q5j34mp44Uhr0O068hQyPaA70GAiUVgT/pB7fVS9Z9U0EOPhIvn1IybROP/44 ces9VWOzx9pjzR7OxRmk05mRijnlIQHNzSJp3/DpREDX1DvJxD2vfk8cYFPdweNR VPFs3acbgOMCpjPLGM3S5HdY/a2UWxolvwR13AnCQ0mFkiD6FsO3z2sgtHdnMkNi XNW7RMf/7+JesXcNiXYde5iDqE15OPTSWuiYNUHCz9WvSlJmOOSDAZ7F3YBWr+FR tMEB/TGWZiQmacNiGkY1F4YgF5SqeAHGYeJ2amSycO90+vTU+FLWPCiTWesmu1tG n/lA21kfHgTURqYVT+xA =kSr/ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU30+ZBLndAQH1ShLAQJNmA//Wuxtzj8s2HGdb2fQfFMGd1qfNvs3m37f MOJzp35L7GTQl0HW9sjl8/EHDzLsUQbQjZcqi+0CIkdPCJORmvOAPg0M4no2W8Bd llXA9PKsI10Wlfwon4c7lcxf9rwZHrHcxSQWJ9SYXoPFFqwhcPx0mUxbnwXovpbd APYnpzaguzYd/MJ12NZlXQoFkJlZTZpcsxSSvStu1rdhvBDPTGCNW3n7aevloh1K /s3gowVHac+L2sTZUpSlNXDrCgcZD/djvi8ctIT5bmLvPHWZ5eaXeJrPSkPdKvQt yyq11XosQiv0gMa7kZNWx00X2DReF5JfXYM3HaRCWTPRAhohRn76TTgMGGRg63g5 O1v3BlopwYvUlWfPz0+Lj9IwUi0Yxxp0eJo9pmnNuwnM5BCSAf6ighWi6ANk95eh k0VChwaQngIAC2/cIPYhavl9GJe4yyB95JKK2UFs5Cil1M7NgNQRsmBfSD+Oxe0B jZaz+m3Zyl1+mKelGVpX4klQmRtBRuvwa4222q7apB1yRf7EHmX5eCkNuyL7am5U AebSkYcLnD3TVraax/32VHp8lmO7ArIddKcN3z+JylQ+bj7ifkUZNS+WaeCVqZQW vjH6BaM1t7+TYicB3lve0IqIj7Xq0hiPTR8bNUfqo/KvIvvb8xcEBHXxDQ/qyXV8 cfEZWUqXkAQ= =nJO8 -----END PGP SIGNATURE-----