Home / vulnerabilitiesPDF  

Secunia Security Advisory 45325

Posted on 22 July 2011
Source : packetstormsecurity.org Link

 

----------------------------------------------------------------------

The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way.

Read more and request a free trial:
http://secunia.com/products/corporate/vim/

----------------------------------------------------------------------

TITLE:
Apple Safari Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA45325

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45325/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45325

RELEASE DATE:
2011-07-22

DISCUSS ADVISORY:
http://secunia.com/advisories/45325/#comments

AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)

http://secunia.com/advisories/45325/

ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS

https://ca.secunia.com/?page=viewadvisory&vuln_id=45325

ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING

http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

DESCRIPTION:
A weakness and multiple vulnerabilities have been reported in Apple
Safari, which can be exploited by malicious people to disclose
sensitive information, manipulate certain data, conduct cross-site
scripting and spoofing attacks, bypass certain security restrictions,
and compromise a user's system.

1) An error within CFNetwork when handling the "text/plain" content
type can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.

2) An error within CFNetwork when using the NTLM authentication
protocol can be exploited to execute arbitrary code by tricking a
user into visiting a specially crafted web page.

3) An error exists within CFNetwork when handling SSL certificates,
which does not properly verify disabled root certificates. This can
lead to certificates signed by the disabled root certificates being
validated.

4) An integer overflow error exists within the ColorSync component.

For more information see vulnerability #5 in:
SA45054

5) An off-by-one error exists within the CoreFoundation framework.

For more information see vulnerability #6 in:
SA45054

6) An integer overflow error exists in CoreGraphics.

For more information see vulnerability #7 in:
SA45054

7) An error exists within ICU (International Components for
Unicode).

For more information see vulnerability #11 in:
SA45054

8) An error exists in ImageIO within the handling of TIFF files when
handling certain uppercase strings.

For more information see vulnerability #9 in:
SA45054

9) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.

10) A use-after-free error within WebKit when handling TIFF images
can result in an invalid pointer being dereferenced when a user views
a specially crafted web page.

11) An error within libxslt can be exploited to disclose certain
addresses from the heap.

For more information see vulnerability #2 in:
SA43832

12) An off-by-one error within libxml when handling certain XML data
can be exploited to cause a heap-based buffer overflow.

13) An error in the "AutoFill web forms" feature can be exploited to
disclose certain information from the user's Address Book by tricking
a user into visiting a specially crafted web page.

14) A cross-origin error when handling certain fonts in Java Applets
can lead to certain text being displayed on other sites.

15) Multiple unspecified errors in the WebKit component can be
exploited to corrupt memory.

16) An error within WebKit when handling libxslt configurations can
be exploited to create arbitrary files.

17) A cross-origin error when handling Web Workers can lead to
certain information being disclosed.

18) A cross-origin error when handling certain URLs containing a
username can be exploited to execute arbitrary HTML and script code
in a user's browser session in the context of an affected site.

19) A cross-origin error when handling DOM nodes can be exploited to
execute arbitrary HTML and script code in a user's browser session in
the context of an affected site.

20) An error within the handling of DOM history objects can be
exploited to display arbitrary content while showing the URL of a
trusted web site in the address bar.

21) An error within the handling of RSS feeds may lead to arbitrary
files from a user's system being sent to a remote server.

22) A weakness in WebKit can lead to remote DNS prefetching

For more information see vulnerability #6 in:
SA42312

23) A use-after-free error within WebKit when processing MathML
markup tags can result in an invalid pointer being dereferenced when
a user views a specially crafted web page.

24) An error within WebKit when parsing a frameset element can be
exploited to cause a heap-based buffer overflow.

25) A use-after-free error within WebKit when handling XHTML tags can
result in an invalid tag pointer being dereferenced when a user views
a specially crafted web page.

26) A use-after-free error within WebKit when handling SVG tags can
result in an invalid pointer being dereferenced when a user views a
specially crafted web page.

The weakness and the vulnerabilities are reported in versions prior
to 5.1 and 5.0.6.

SOLUTION:
Update to version 5.1 or 5.0.6.

PROVIDED AND/OR DISCOVERED BY:
10) Juan Pablo Lopez Yacubian via iDefense
4) binaryproof via ZDI
8) Dominic Chell, NGS Secure
23, 25, 26) wushi, team509 via iDefense
24) Jose A. Vazquez via iDefense

The vendor credits:
1) Hidetake Jo via Microsoft Vulnerability Research (MSVR) and Neal
Poole, Matasano Security
2) Takehiro Takahashi, IBM X-Force Research
3) An anonymous reporter
5) Harry Sintonen
6) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
7) David Bienvenu, Mozilla
9) Cyril CATTIAUX, Tessi Technologies
11) Chris Evans, Google Chrome Security Team
12) Billy Rios, Google Security Team
13) Florian Rienhardt of BSI, Alex Lambert, and Jeremiah Grossman
14) Joshua Smith, Kaon Interactive
16) Nicolas Gregoire, Agarri
17) Daniel Divricean, divricean.ro
18) Jobert Abma, Online24
19) Sergey Glazunov
20) Jordi Chancel
21) Jason Hullinger
22) Mike Cardwell, Cardwell IT

The vendor provides a bundled list of credits for vulnerabilities in
#15:
* David Weston, Microsoft and Microsoft Vulnerability Research
(MSVR)
* Yong Li, Research In Motion
* SkyLined, Google Chrome Security Team
* Abhishek Arya (Inferno), Google Chrome Security Team
* Nikita Tarakanov and Alex Bazhanyuk, CISS Research Team
* J23 via ZDI
* Rob King via ZDI
* wushi, team509 via ZDI
* wushi of team509
* Adam Barth, Google Chrome Security Team
* Richard Keen
* An anonymous researcher via ZDI
* Rik Cabanier, Adobe Systems
* Martin Barbella
* Sergey Glazunov
* miaubiz
* Andreas Kling, Nokia
* Marek Majkowski via iDefense
* John Knottenbelt, Google

ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4808

iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=930
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=931
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=932
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=933
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=934

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-228/

NGS Secure:
http://archives.neohapsis.com/archives/bugtraq/2011-07/0034.html

OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

----------------------------------------------------------------------


 

TOP

Malware :

Exploits :