SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  OS (UNIX)  >  Mac OS X Vendors:  Apple Computer
Mac OS X WebKit and WebCore Bugs Permit Cross-Domain Scripting Attacks and Remote Code Execution
SecurityTracker Alert ID:  1018281
SecurityTracker URL:  http://securitytracker.com/id?1018281
CVE Reference:  CVE-2007-2399 ,  CVE-2007-2401   (Links to External Site)
Date:  Jun 22 2007
Impact:  Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Advisory:  Apple Security Advisory
Description:  Two vulnerabilities were reported in Mac OS X. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can conduct cross-domain scripting attacks.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger an invalid conversion in the WebKit code when rendering frame sets and execute arbitrary code on the target system [CVE-2007-2399]. The code will run with the privileges of the target user.

Apple credits Rhys Kidd of Westnet with reporting this vulnerability.

A remote user can create specially crafted HTML that, when loaded by the target user, will inject HTTP code via XMLHttpRequest and cause arbitrary scripting code to be executed by the target user's browser [CVE-2007-2401]. The code will run in the security context of an arbitrary site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Apple credits Richard Moore of Westpoint Ltd. with reporting this vulnerability.
Impact:  A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:  Apple has issued a fix as part of Security Update 2007-006, available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:

http://www.apple.com/support/downloads/

For Mac OS X v10.4.9 (PowerPC) or later
and Mac OS X Server v10.4.9 (PowerPC) or later
The download file is named: "SecUpd2007-006Ti.dmg"
Its SHA-1 digest is: 14ba95e8d6e795b9d0f99b614fe426d643edf15e

For Mac OS X v10.4.9 (Universal) or later
and Mac OS X Server v10.4.9 (Universal) or later
The download file is named: "SecUpd2007-006Univ.dmg"
Its SHA-1 digest is: 68fe035d8653de6e4d27da92d4dbf77c53c1f214

For Mac OS X v10.3.9 and Mac OS X Server v10.3.9
The download file is named: "SecUpd2007-006Pan.dmg"
Its SHA-1 digest is: 8c085ef167f1bfa92ec9e34834181bb034686e8a

The Apple advisory is available at:

http://docs.info.apple.com/article.html?artnum=305759
Vendor URL:  docs.info.apple.com/article.html?artnum=305759 (Links to External Site)
Cause:  Access control error, Input validation error
Underlying OS:  UNIX (Mac OS X)
Reported By:  Apple Product Security <product-security-noreply@lists.apple.com>
Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 1 2007 (Apple Issues Fix for iPhone) Mac OS X WebKit and WebCore Bugs Permit Cross-Domain Scripting Attacks and Remote Code Execution   (Apple Product Security <product-security-noreply@lists.apple.com>)
Apple has released a fix for iPhone.


 Source Message Contents
Date:  Fri, 22 Jun 2007 14:04:51 -0700
From:  Apple Product Security <product-security-noreply@lists.apple.com>
Subject:  APPLE-SA-2007-06-22 Security Update 2007-006

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2007-06-22 Security Update 2007-006

Security Update 2007-006 is now available and addresses the following
issues:

WebCore
CVE-ID:  CVE-2007-2401
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later
Impact:  Visiting a malicious website may allow cross-site requests
Description:  An HTTP injection issue exists in XMLHttpRequest when
serializing headers into an HTTP request.  By enticing a user to
visit a maliciously crafted web page, an attacker could conduct
cross-site scripting attacks.  This update addresses the issue by
performing additional validation of header parameters.  Credit to
Richard Moore of Westpoint Ltd. for reporting this issue.

WebKit
CVE-ID:  CVE-2007-2399
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9,
Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  An invalid type conversion when rendering frame sets
could lead to memory corruption.  Visiting a maliciously crafted web
page may lead to an unexpected application termination or arbitrary
code execution.  Credit to Rhys Kidd of Westnet for reporting this
issue.

Security Update 2007-006 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.4.9 (PowerPC) or later
and Mac OS X Server v10.4.9 (PowerPC) or later
The download file is named:  "SecUpd2007-006Ti.dmg"
Its SHA-1 digest is:  14ba95e8d6e795b9d0f99b614fe426d643edf15e

For Mac OS X v10.4.9 (Universal) or later
and Mac OS X Server v10.4.9 (Universal) or later
The download file is named:  "SecUpd2007-006Univ.dmg"
Its SHA-1 digest is:  68fe035d8653de6e4d27da92d4dbf77c53c1f214

For Mac OS X v10.3.9 and Mac OS X Server v10.3.9
The download file is named:  "SecUpd2007-006Pan.dmg"
Its SHA-1 digest is:  8c085ef167f1bfa92ec9e34834181bb034686e8a

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)

iQEVAwUBRnwMjsgAoqu4Rp5tAQjnVgf+PyJLQ1pYYv6QrdoLiRaR3IhuhDF2wgkd
m3UB661sexst2aI417mbqRqdH1W1XUl5EpJlKNzXg9k2BiWxVwD21CxqhLUXJlku
zxXdmAqEIqy2GXtmAquuAX8c0oQF3k+uip8ovzddc9q+B0WV0/vbQODN+O3EkVs9
TNRVjowN0Pmp1Tb8O0hLsBqh57FtH9lzT0d9sGh6/C7zke7lxVOWYd9Y0Vov72rd
9oYv/q+Knj9qh4Zylp3Kg7Um0wotCX2JQ+U+XTNgr00sifaw6WUjpcpq9hQdAgv8
4CrFJGId7g+SYvbqy4pzfLQSFboeYD3HOZsVPSCze57tQSmBfJ6CJw==
=mli5
-----END PGP SIGNATURE-----

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC