Safari SubFrame Navigation and RSS Feed URL Bugs Let Remote Users Conduct Cross-Site Scripting Attacks and Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1019108
|
|
SecurityTracker URL: http://securitytracker.com/id?1019108
|
|
CVE Reference: CVE-2007-5858
, CVE-2007-5859
(Links to External Site)
|
Updated: Dec 22 2007
|
Original Entry Date: Dec 18 2007
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: Apple Security Advisory
|
Version(s): 3.0.4
|
Description: Two vulnerabilities were reported in Safari. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can conduct cross-site scripting attacks.
A remote user can create a specially crafted HTML that, when loaded by the target user, will cause WebKit to navigate the subframes
of arbitrary pages and execute arbitrary scripting code in the context of those pages [CVE-2007-5858]. As a result, the code will
be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently
submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A remote user can
create a specially crafted RSS feed that, when loaded by the target user, will execute arbitrary code on the target user's system
[CVE-2007-5859]. Mac OS X versions 10.5 and later are not affected.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
Perl software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as
the target user.
A remote user can cause arbitrary code to be executed on the target user's system.
|
Solution: The vendor has issued a fix (APPLE-SA-2007-12-17 Security Update 2007-009 v1.1), available from from the Software Update pane in
System Preferences, or Apple's Software Downloads web site at:
http://www.apple.com/support/downloads/
For Mac OS X v10.5.1
The
download file is named: "SecUpd2007-009.dmg"
Its SHA-1 digest is: 0ba35ef30a525792f1d4015395997b42f524dd38
For Mac OS X v10.4.11
(Universal)
The download file is named: "SecUpd2007-009Univ.dmg"
Its SHA-1 digest is: 49f52d4f647ea4a1fabef34cccac263bfd03791a
For
Mac OS X v10.4.11 (PPC)
The download file is named: "SecUpd2007-009Ti.dmg"
Its SHA-1 digest is: d1c5c4bc23267dd846bb96e7be69b084579c1bba
The
vendor has also issued Safari 3 Beta 3.0.4 Security Update v1.1 (for Windows) to correct CVE-2007-5858, available via the Apple
Software Update application, or Apple's Safari download site at:
http://www.apple.com/safari/download/
Safari for Windows
XP or Vista
The download file is named: "Safari304BetaSecUpdateSetup.exe"
Its SHA-1 digest is: 44d788791fb060a97cdc9d09d9973919b181cc35
Safari+QuickTime
for Windows XP or Vista
The file is named: "Safari304BetaSecUpdateQuickTimeSetup.exe"
Its SHA-1 digest is: 17ad827789d11bb3c4407a68beb6df942bfa7382
The
Apple advisories are available at:
http://docs.info.apple.com/article.html?artnum=307178
http://docs.info.apple.com/article.html?artnum=307179
http://docs.info.apple
.com/article.html?artnum=307224
http://docs.info.apple.com/article.html?artnum=307225
[Editor's note: The original security
update 2007-009 and Safari 3 Beta 3.0.4 Security Update issued on December 17, 2007 contained a performance issue that may cause
Safari to crash. On December 21, 2007, Apple issued the revised security update 2007-009 v1.1 and Safari 3 Beta 3.0.4 Security
Update v1.1. Customers should apply the new update.]
|
Vendor URL: docs.info.apple.com/article.html?artnum=307179 (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: UNIX (OS X), Windows (Vista), Windows (XP)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 18 Dec 2007 00:32:48 -0500
Subject: Safari
|
APPLE-SA-2007-12-17 Security Update 2007-009
Safari
CVE-ID: CVE-2007-5858
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: Visiting a malicious website may result in the disclosure of
sensitive information
Description: WebKit allows a page to navigate the subframes of any
other page. Visiting a maliciously crafted web page could trigger a
cross-site scripting attack, which may lead to the disclosure of
sensitive information. This update addresses the issue by
implementing a stricter frame navigation policy.
Safari RSS
CVE-ID: CVE-2007-5859
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Accessing a maliciously crafted feed: URL may lead to an
application termination or arbitrary code execution
Description: A memory corruption issue exists in Safari's handling
of feed: URLs. By enticing a user to access a maliciously crafted
URL, an attacker may cause an unexpected application termination or
arbitrary code execution. This update addresses the issue by
performing additional validation of feed: URLs and providing an error
message in case of an invalid URL. This issue does not affect systems
running Mac OS X 10.5 or later.
|
|
