Home Corporate Website Jobs Mailing Lists RSS Blog New entry Advertise
	Software Inspectors   Scan Online   Personal (PSI)   Network (NSI 2.0)   - NEW - Solutions For   Security Professionals   Security Vendors Free Solutions For   Open Communities   Journalists & Media Secunia Advisories   Search   Historic Advisories   Listed By Product   Listed By Vendor   Statistics / Graphs   Secunia Research   Report Vulnerability   About Advisories Virus Information   Chronological List   Last 10 Virus Alerts   About Virus Information Secunia Customers   Customer Area Safari Address Bar Spoofing and Memory Corruption Vulnerabilities   Secunia Advisory: SA29483   Release Date: 2008-03-24 Last Update: 2008-04-21 Critical: Highly critical Impact: Spoofing System access Where: From remote Solution Status: Vendor Patch Software: Safari for Windows 3.x CVE reference: CVE-2007-2398 (Secunia mirror) CVE-2008-1024 (Secunia mirror) NOTE: Do you know if Apple Safari 3.x has been automatically installed on computers in your network? Scan with the Secunia NSI and find any unauthorised installations Description: Juan Pablo Lopez Yacubian has discovered two vulnerabilities in Safari, which can be exploited by malicious people to conduct spoofing attacks or potentially compromise a user's system. 1) An error when downloading e.g. a .ZIP file with an overly long filename can be exploited to cause a memory corruption. Successful exploitation may allow execution of arbitrary code. 2) An error in the handling of windows can be exploited to display arbitrary content while showing the URL of a trusted web site in the address bar. The vulnerabilities are confirmed in version 3.1 for Windows. Other versions may also be affected. Do you have this product installed on your home computer? Scan using the free Personal Software Inspector. Check if a vulnerable version is installed on computers in your corporate network, using the Network Software Inspector. Solution: Update to version 3.1.1. http://www.apple.com/support/downloads/safari311.html Provided and/or discovered by: Juan Pablo Lopez Yacubian Changelog: 2008-04-17: Updated "Solution" section. Added CVE references. 2008-04-21: Added link to US-CERT. Original Advisory: Apple: http://support.apple.com/kb/HT1467 http://archives.neohapsis.com/archives/bugtraq/2008-03/0332.html http://archives.neohapsis.com/archives/bugtraq/2008-03/0324.html Other References: US-CERT VU#529441: http://www.kb.cert.org/vuls/id/529441 Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others. 2 Related Secunia Security Advisories 1. Safari Address Bar URL Spoofing Security Issue 2. Safari Multiple Vulnerabilities Send Feedback to Secunia If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com. Ideas, suggestions, and other feedback are most welcome. Secunia PSI Scan | Patch | Track Free Download Secunia Poll Do you think it's important to read Setup/User Guides for applications for use within your network? Yes, I do it all the time Yes, but I do it rarely No See Results    Most Popular Advisories 1. Yahoo! Assistant yNotifier.dll ActiveX Control Code Execution 2. OpenKM Document Export Security Issue 3. Cyberfolio "rep" File Inclusion Vulnerability 4. vShare YouTube Clone "tid" SQL Injection Vulnerability 5. Zarafa Script Insertion Vulnerabilities 6. Slackware update for thunderbird 7. TFTP Server SP Long Error Message Buffer Overflow 8. Ubuntu update for vorbis-tools 9. SAP Internet Transaction Server wgate.dll Cross-Site Scripting Vulnerability 10. Maian Search Cross-Site Scripting and SQL Injection Vulnerabilities
Vulnerability Management - Terms & Conditions - Copyright 2002-2008 Secunia - Compliance - Contact Secunia