Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading
Highly critical

Apple Safari Multiple Vulnerabilities

-

Release Date:  2009-06-09    Last Update:  2009-07-13    Views:  9,831

Secunia Advisory SA35379

Where:

From remote

Impact:

Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access

Solution Status:

Unpatched

CVE Reference(s):

Description


Some vulnerabilities have been reported in Apple Safari, which can be exploited by malicious people to disclose sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions, or compromise a user's system.

1) An error in the handling of TrueType fonts can be exploited to corrupt memory when a user visits a web site embedding a specially crafted font.

Successful exploitation may allow execution of arbitrary code.

2) Some vulnerabilities in FreeType can potentially be exploited to compromise a user's system.

For more information:
SA34723

3) Some vulnerabilities in libpng can potentially be exploited to compromise a user's system.

For more information:
SA33970

4) An error in the processing of external entities in XML files can be exploited to read files from the user's system when a users visits a specially crafted web page.

5) An error in the handling of redirects when processing Extensible Stylesheet Language Transformations (XSLT) can be exploited to disclose XML content from other web sites.

6) An error in the XSL "document()" function can be exploited to read files from other security zones, including the user's system.

7) An error in WebKit in the handling of Javascript contexts can be exploited to conduct cross-site scripting attacks, allowing e.g. to spoof content of a web site that is navigated to.

8) An error exists in WebKit when executing JavaScript code which sets a certain property of an HTML tag. This can be exploited to free child elements of the HTML tag and subsequently reference the freed memory when an HTML error is encountered.

Successful exploitation of this vulnerability may allow execution of arbitrary code.

9) An error when handling calls to the CSS "attr" function can be exploited to access an uninitialised pointer and potentially execute arbitrary code.

10) An error in the handling of "file:" URLs can be exploited to read local files and disclose potentially sensitive information.

Other vulnerabilities have also been reported of which some may also affect Safari version 3.x.


Solution:
Upgrade to Safari version 4, which fixes the vulnerabilities.

Provided and/or discovered by:
1-3) Tavis Ormandy
4 - 6) Chris Evans of Google Inc.
7) Michal Zalewski of Google Inc.
8) wushi and ling of team509, reported via iDefense
9) Thierry Zoller, reported via ZDI. The vendor also credits Robert Swiecki of the Google Security Team.
10) Alexios Fakos, n.runs AG. The vendor also credits Dino Dai Zovi.

Original Advisory:
Apple:
http://support.apple.com/kb/HT3613

Chris Evans:
http://scary.beasts.org/security/CESA-2009-006.html
http://scary.beasts.org/security/CESA-2009-008.html

Michal Zalewski:
http://lcamtuf.coredump.cx/sftrap2/

iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=803

Thierry Zoller:
http://archives.neohapsis.com/archives/fulldisclosure/2009-06/0156.html

n.runs:
http://archives.neohapsis.com/archives/fulldisclosure/2009-06/0243.html

Deep Links:
Links available to Secunia VIM customers

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Apple Safari Multiple Vulnerabilities

No posts yet

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability