Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(Apple Issues Fix for iPhone) Mac OS X WebKit and WebCore Bugs Permit Cross-Domain Scripting Attacks and Remote Code Execution
|
|
SecurityTracker Alert ID: 1018487 |
|
SecurityTracker URL: http://securitytracker.com/id/1018487
|
|
CVE Reference:
CVE-2007-2399, CVE-2007-2401
(Links to External Site)
|
Date: Aug 1 2007
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 1.0
|
Description:
Two vulnerabilities were reported in Mac OS X. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can conduct cross-domain scripting attacks. Apple iPhone is affected.
A remote user can create specially crafted HTML that, when loaded by the target user, will trigger an invalid conversion in the WebKit code when rendering frame sets and execute arbitrary code on the target system [CVE-2007-2399]. The code will run with the privileges of the target user.
Apple credits Rhys Kidd of Westnet with reporting this vulnerability.
A remote user can create specially crafted HTML that, when loaded by the target user, will inject HTTP code via XMLHttpRequest and cause arbitrary scripting code to be executed by the target user's browser [CVE-2007-2401]. The code will run in the security context of an arbitrary site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Apple credits Richard Moore of Westpoint Ltd. with reporting this vulnerability.
|
Impact:
A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution:
Apple has issued a fix for iPhone as part of iPhone v1.0.1 Update, available only through iTunes.
The Apple advisory is available at:
http://docs.info.apple.com/article.html?artnum=306173
|
Vendor URL: docs.info.apple.com/article.html?artnum=305759 (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS:
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 31 Jul 2007 17:24:20 -0700
Subject: APPLE-SA-2007-07-31 iPhone v1.0.1 Update
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2007-07-31 iPhone v1.0.1 Update
iPhone v1.0.1 Update is now available and addresses the following
issues:
Safari
CVE-ID: CVE-2007-2400
Available for: iPhone v1.0
Impact: Visiting a malicious website may allow cross-site scripting
Description: Safari's security model prevents JavaScript in remote
web pages from modifying pages outside of their domain. A race
condition in page updating combined with HTTP redirection may allow
JavaScript from one page to modify a redirected page. This could
allow cookies and pages to be read or arbitrarily modified. This
update addresses the issue by correcting access control to window
properties. Credit to Lawrence Lai, Stan Switzer, and Ed Rowe of
Adobe Systems, Inc. for reporting this issue.
Safari
CVE-ID: CVE-2007-3944
Available for: iPhone v1.0
Impact: Viewing a maliciously crafted web page may lead to arbitrary
code execution
Description: Heap buffer overflows exist in the Perl Compatible
Regular Expressions (PCRE) library used by the JavaScript engine in
Safari. By enticing a user to visit a maliciously crafted web page,
an attacker may trigger the issues, which may lead to arbitrary code
execution. This update addresses the issues by performing additional
validation of JavaScript regular expressions. Credit to Charlie
Miller and Jake Honoroff of Independent Security Evaluators for
reporting these issues.
WebCore
CVE-ID: CVE-2007-2401
Available for: iPhone v1.0
Impact: Visiting a malicious website may allow cross-site requests
Description: An HTTP injection issue exists in XMLHttpRequest when
serializing headers into an HTTP request. By enticing a user to visit
a maliciously crafted web page, an attacker could trigger a
cross-site scripting issue. This update addresses the issue by
performing additional validation of header parameters. Credit to
Richard Moore of Westpoint Ltd. for reporting this issue.
WebKit
CVE-ID: CVE-2007-3742
Available for: iPhone v1.0
Impact: Look-alike characters in a URL could be used to masquerade a
website
Description: The International Domain Name (IDN) support and Unicode
fonts embedded in Safari could be used to create a URL which contains
look-alike characters. These could be used in a malicious web site to
direct the user to a spoofed site that visually appears to be a
legitimate domain. This update addresses the issue by through an
improved domain name validity check. Credit to Tomohito Yoshino
of Business Architects Inc. for reporting this issue.
WebKit
CVE-ID: CVE-2007-2399
Available for: iPhone v1.0
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: An invalid type conversion when rendering frame sets
could lead to memory corruption. Visiting a maliciously crafted web
page may lead to an unexpected application termination or arbitrary
code execution. Credit to Rhys Kidd for reporting this issue.
Installation note:
This update is only available through iTunes, and will not appear in
your computer's Software Update application, or in the Apple
Downloads site. Make sure you have an internet connection and have
installed the latest version of iTunes from www.apple.com/itunes/
iTunes will automatically check Apple's update server on its weekly
schedule. When an update is detected, it will download it. When the
iPhone is docked, iTunes will present the user with the option to
install the update. We recommend applying the update immediately if
possible. Selecting "don't install" will present the option the next
time you connect your iPhone.
The automatic update process may take up to a week depending on the
day that iTunes checks for updates. You may manually obtain the
update via the "Check for Update" button within iTunes. After doing
this, the update can be applied when your iPhone is docked to your
computer.
To check that the iPhone has been updated:
* Navigate to Settings
* Select General
* Select About
* The Version after applying this update will be "1.0.1 (1C25)"
Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)
iQEVAwUBRq+71cgAoqu4Rp5tAQiWTQf/RTY0EVLWg3Q2tu6qrSMqadFRmKC/eLAI
KPN3FjqeBgI3NuikZcEk1G7Y4JxmPpbfP6naKjj0s84e2uuQh2g9diclyeuUGcOi
OTrz/nM/Z4oK2G2q/zt4ip477blZtzLBP7l560PCCx4kKiK4KfEnCaayY9IdtkmX
M6X4EeJI5RiwxN0mnGXWXgVuZ+GPsCbHxIfVOOAZdDCGW7yiyEumsLpZigqqshm3
CAKFvVp1rMt1wOyHp+BfnIVDSTpZ+D5iS4fuKQfvgT2Npo3V3iHe3VQ/G/TW+9b1
fJkWZa9ogA7lBr/ubITeo9uBTjv7yQI1GEAXM4xA8JBjY7GVMUaY6g==
=MIKk
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Security-announce@lists.apple.com)
|
|
Go to the Top of This SecurityTracker Archive Page
|
