Secunia Security Advisory - Multiple vulnerabilities and weaknesses have been reported in Apple Safari, which can be exploited by malicious people to bypass certain security restrictions, conduct spoofing attacks, or compromise a user's system.
b8844e461e5295ba25a223b7dd3cf558dc4225a3a12ae5908268714f55a5240d
----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.
Join the beta:
https://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA42264
VERIFY ADVISORY:
Secunia.com
https://secunia.com/advisories/42264/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42264
RELEASE DATE:
2010-11-19
DISCUSS ADVISORY:
https://secunia.com/advisories/42264/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
https://secunia.com/advisories/42264/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42264
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
https://secunia.com/vulnerability_scanning/personal/
https://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities and weaknesses have been reported in Apple
Safari, which can be exploited by malicious people to bypass certain
security restrictions, conduct spoofing attacks, or compromise a
user's system.
1) An integer overflow error in the handling of strings can be
exploited to corrupt memory and potentially execute arbitrary code.
2) A weakness in the random number generator for JavaScript
applications can be exploited to e.g. track users.
3) Multiple vulnerabilities in WebKit can be exploited by malicious
people to compromise a user's system.
For more information:
SA41328
4) An integer underflow error in the handling of WebSockets can be
exploited to corrupt memory and potentially execute arbitrary code.
5) An unspecified error in the handling of images created from
"canvas" elements can be exploited to conduct cross-origin image
thefts.
This is related to vulnerability #12 in:
SA41242
6) An invalid cast in the handling of editing commands can
potentially be exploited to execute arbitrary code.
7) An invalid cast in the handling of inline styling can potentially
be exploited to execute arbitrary code.
8) An error within the handling of the History object can be
exploited to spoof the address in the location bar or add arbitrary
locations to the history.
9) A use-after-free error in the handling of element attributes can
be exploited to corrupt memory and potentially execute arbitrary
code.
10) An integer overflow error in the handling of Text objects can be
exploited to corrupt memory and potentially execute arbitrary code.
11) A weakness is caused due to WebKit performing DNS prefetching for
HTML Link elements even when it is disabled.
12) Multiple use-after-free errors in the handling of plugins can be
exploited to corrupt memory and potentially execute arbitrary code.
This is related to vulnerability #5 in:
SA41014
13) A use-after-free error in the handling of element focus can be
exploited to corrupt memory and potentially execute arbitrary code.
This is related to vulnerability #10 in:
SA41242
14) A use-after-free error in the handling of scrollbars can be
exploited to corrupt memory and potentially execute arbitrary code.
15) An invalid cast in the handling of CSS 3D transforms can
potentially be exploited to execute arbitrary code.
16) A use-after-free error in the handling of inline text boxes can
be exploited to corrupt memory and potentially execute arbitrary
code.
17) An invalid cast in the handling of CSS boxes can potentially be
exploited to execute arbitrary code.
18) An unspecified error in the handling of editable elements can be
exploited to trigger an access of uninitialised memory and
potentially execute arbitrary code.
19) An unspecified error in the handling of the ':first-letter'
pseudo-element in cascading stylesheets can be exploited to corrupt
memory and potentially execute arbitrary code.
20) An uninitialised pointer error in the handling of CSS counter
styles can potentially be exploited to execute arbitrary code.
21) A use-after-free error in the handling of Geolocation objects can
be exploited to corrupt memory and potentially execute arbitrary
code.
22) A use-after-free error in the handling of "use" elements in SVG
documents can be exploited to corrupt memory and potentially execute
arbitrary code.
23) An invalid cast in the handling of SVG elements in non-SVG
documents can potentially be exploited to execute arbitrary code.
This is related to vulnerability #2 in:
SA41443
24) An invalid cast in the handling of colors in SVG documents can
potentially be exploited to execute arbitrary code.
SOLUTION:
Update to Safari 5.0.3 (Mac OS X 10.5.8, Mac OS X 10.6.4 or later,
Windows 7, Vista, XP) or Safari 4.1.3 (Mac OS X 10.4.11).
PROVIDED AND/OR DISCOVERED BY:
2) Amit Klein, Trusteer
The vendor credits:
1, 10) J23
3) Jose A. Vazquez of spa-s3c.blogspot.com, Csaba Osztrogonac of
University of Szeged, and also thabermann and chipplyman
4) Keith Campbell, and Cris Neckar, Google Chrome Security Team
5) Isaac Dawson, and James Qiu, Microsoft and Microsoft Vulnerability
Research (MSVR)
6, 22, 23) wushi, team509
7, 15 - 17, 19, 24) Abhishek Arya (Inferno), Google Chrome Security
Team
8) Mike Taylor, Opera Software
9) Michal Zalewski
11) Jeff Johnson, Rogue Amoeba Software
13) Vupen
14) Rohit Makasana, Google Inc.
20, 21) kuzzcc
ORIGINAL ADVISORY:
Apple:
https://support.apple.com/kb/HT4455
Trusteer:
https://www.trusteer.com/sites/default/files/Temporary_User_Tracking_in_Major_Browsers.pdf
OTHER REFERENCES:
Further details available in Customer Area:
https://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
https://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
https://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
https://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
https://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
https://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
https://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------