Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1058.2 Safari 6.1.5 and Safari 7.0.5 1 July 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Safari Publisher: Apple Operating System: OS X Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-1382 CVE-2014-1369 CVE-2014-1368 CVE-2014-1367 CVE-2014-1366 CVE-2014-1365 CVE-2014-1364 CVE-2014-1363 CVE-2014-1362 CVE-2014-1345 CVE-2014-1340 CVE-2014-1325 Revision History: July 1 2014: Corrected ESB number July 1 2014: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-06-30-1 Safari 6.1.5 and Safari 7.0.5 Safari 6.1.5 and Safari 7.0.5 are now available and address the following: WebKit Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.3 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2014-1325 : Apple CVE-2014-1340 : Apple CVE-2014-1362 : Apple, miaubiz CVE-2014-1363 : Apple CVE-2014-1364 : Apple CVE-2014-1365 : Apple, Google Chrome Security Team CVE-2014-1366 : Apple CVE-2014-1367 : Apple CVE-2014-1368 : Wushi of Keen Team (Research Team of Keen Cloud Tech) CVE-2014-1382 : Renata Hodovan of University of Szeged / Samsung Electronics WebKit Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.3 Impact: Dragging a URL from a maliciously crafted website to another window could lead to the disclosure of local file content Description: Dragging a URL from a maliciously crafted website to another window could have allowed the malicious site to access a file:// URL. This issue was addressed through improved validation of dragged resources. CVE-ID CVE-2014-1369 : Aaron Sigel of vtty.com WebKit Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.3 Impact: A maliciously crafted website may be able to spoof its domain name in the address bar Description: A spoofing issue existed in the handling of URLs. This issue was addressed through improved encoding of URLs. CVE-ID CVE-2014-1345 : Erling Ellingsen of Facebook For OS X Mavericks and OS X Mountain Lion systems, Safari 7.0.5 and Safari 6.1.5 may be obtained from Mac App Store. For OS X Lion systems Safari 6.1.5 is available via the Apple Software Update application. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTsaPHAAoJEBcWfLTuOo7taK8P/0tThtNLog6ssE+iBRlBRtlu pdjDkqF5N5b71I00+DWhpxasEmsrmc7j5XXzbqaH/I3eWx9rRSHYTxon3gXHv8xY K4N1eUb/taHUaSJDH9mfzTvmxZf8x1EGsBQDmDpotXVtwW5h3uYxYsjAoG6g/MZO i74ggPKp3XnjSa/DPEJIXXZTTZrYDCBnDOE1By/vOVBshUy6/M8pWNd56gjYrYm9 VqJjeR9ZRc7RTkmbpJGOphjJ9/N/5oLinDV9cpObPktFhrG/RO90gGLorvtqG4NJ i9iOw2XHnX59TvmELjWHDJKD4NbGDSSl9eOW1iHQfLb5rt6yr7eNPfQDJMqYQKYh oViKYvhyRlOM5W56Xs6d39IJuHy43UkjPHU6frh5hrR+08WaVYfwNEhGf7iUzkPG Ln6quTg8hvQivHsmBnQ1fgYwcCc09QkAI9BtiLJqW+9Nk4KxKDB6ZBUFvp1z/ELZ SHRyb52FAo0yukNDjYqdp9l7QjhCzYpHdwZZGpgVmnroQPdBa+sJqBGiNRQd6Qun 1K5Rn3CaPAIft21L5aCju0uIouo8g56SBo9+bXCdDPpMmV3CSCRtU/aWfHWOE9D7 /MN0FCa6EQXKz15zBRMCmHY6QWAexM//gdrnLBx8ndLS1y59+hL/fz7PJ1pGtJa9 9Q6eqCFTMNIRoGCOsp8M =Hhsf - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU7IdmBLndAQH1ShLAQKOLhAAuN9iU9WJ827q+YfgG5Pm3zbEkkNkKhO7 /LIqJTNFGzgYlR9jSgZA52ZWxT1v0dzD/iuIsvLNvs2X64fdtwfVSfQpR6e8V3zg bis12J+Qmj9pCmPbnaWkMapOJe7DTq2xujfwc7WAwQ0hAJ/N0HIEq51A9BGKOxsD IeTH446XluPdhomRRJ+ViYzCwcNVMlmFFL7+BIjT5pCHDReJkvtHkCQVc2V+p0jb ZZ2nCSoTMDA8i0uOp2S55XlMDrJsPvhjIPb68Rr+EkowCAnt8OKObh8eWWa5IkK2 wSGNfIh9rVSYOkvw23AQ0EYCWi5CjSk4SfrAL/eU+J+U9pylX/enF3KQjuom5p3q ZdranWgIXcSYvuILP/G9wCE8w1iKR41lqh0XK5PZ3PLoUuozFWndXHsVuJ07SZnS f9GMvddPJCtWfAuNmdu4tk9Gv2OEUid0Wno5oDweGIvR8vYY5h+vmByIdKInfkLk gCMdy7r/kPGhBfYxALKZ4TBZBH15wMSVoF5p5RlL29RmVln3YsEReGy8YJ3fKvyE QZ/XdTUvjARImJTrO/RibOXroIceXWt3+WjBFTLhlfUys3xsDKhz15BidKwoif8o 53f+EB6AOMa3Y0Bh12QaY+U7+/nzXOMQpVaXx9/GG8VxjlC/F9M0cJX8DseaSG8s LB7mZ3lvDt8= =1IQ+ -----END PGP SIGNATURE-----