SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Browser)  >   Apple Safari Vendors:   Apple Computer
(Apple Issues Fix for Safari on Windows) Apple iPhone Bugs Let Remote Users Dial Phone Numbers, Execute Arbitrary Code, and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1018952
SecurityTracker URL:  http://securitytracker.com/id/1018952
CVE Reference:   CVE-2007-3753, CVE-2007-3754, CVE-2007-3755, CVE-2007-3756, CVE-2007-3757, CVE-2007-3758, CVE-2007-3759, CVE-2007-3760, CVE-2007-4671   (Links to External Site)
Date:  Nov 15 2007
Impact:   Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 3.0.4
Description:   Several vulnerabilities were reported in Apple iPhone. A remote user can execute arbitrary code on the target system. A remote user can conduct cross-site scripting attacks. Safari on Windows is affected.

A remote user within Bluetooth networking range can send specially crafted Service Discovery Protocol packets to a Bluetooth-enabled device to trigger an input validation vulnerability and execute arbitrary code [CVE-2007-3753].

Kevin Mahaffey and John Hering of Flexilis Mobile Security reported this vulnerability.

The Mail application will not notify the user if the identity of the mail server has changed or is untrusted [CVE-2007-3754]. A remote user can conduct a man-in-the-middle attack without detection.

A remote user can send mail with a 'tel:' link that, when loaded by the target user, will dial a telephone call without user confirmation [CVE-2007-3755].

Andi Baritchi of McAfee reported this vulnerability.

A remote user can create a specially crafted HTML that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser [CVE-2007-3758, CVE-2007-3760, CVE-2007-3761]. The code will originate from an arbitrary site and run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Michal Zalewski of Google Inc. reported two of these vulnerabilities and Secunia separately reported one vulnerability.

A remote user can create HTML with a specially crafted 'tel:' link that, when loaded by the target user, will dial a different telephone number than displayed when confirmation is requested [CVE-2007-3757].

Billy Hoffman and Bryan Sullivan of HP Security Labs (Formerly SPI Labs) and Eduardo Tang separately reported this vulnerability.

When the user disabled JavaScript, the change does not take effect until Safari is restarted [CVE-2007-3759].

A remote user can create specially crafted HTML that, when loaded by the target user, can access or manipulate the contents of documents served over HTTPS connections in the same domain [CVE-2007-4671].

Keigo Yamazaki of Little eArth Corporation Co., Ltd. reported this vulnerability.

Impact:   A remote user can execute arbitrary code on the target system.

A remote user can conduct man-in-the-middle attacks.

A remote user can cause different telephone numbers to be dialed.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can obtain the URL of a parent window.

Solution:   Apple has released a fix for CVE-2007-3756, CVE-2007-3758, CVE-2007-3760, and CVE-2007-4671 for Safari on Windows (Safari 3 Beta Update 3.0.4), available via the Apple Software Update application, or Apple's Safari download site at:

http://www.apple.com/safari/download/

Safari for Windows XP or Vista
The download file is named: "SafariSetup.exe"
Its SHA-1 digest is: 54f68120298fd628255474d13e10562fcdbf2a14

Safari+QuickTime for Windows XP or Vista
The download file is named: "SafariQuickTimeSetup.exe"
Its SHA-1 digest is: a8afe488e2afcc8ccc9425792d5fc74ac9e25d10

The Apple advisory is available at:

http://docs.info.apple.com/article.html?artnum=307038

Vendor URL:  docs.info.apple.com/article.html?artnum=306586 (Links to External Site)
Cause:   Access control error, Exception handling error, Input validation error
Underlying OS:   Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Sep 28 2007 Apple iPhone Bugs Let Remote Users Dial Phone Numbers, Execute Arbitrary Code, and Conduct Cross-Site Scripting Attacks



 Source Message Contents

Date:  Wed, 14 Nov 2007 13:29:29 -0800
Subject:  APPLE-SA-2007-11-14 Safari 3 Beta Update 3.0.4 (Windows)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2007-11-14 Safari 3 Beta Update 3.0.4 (Windows)

Safari 3 Beta Update 3.0.4 (Windows) is now available and addresses
the following issues:

Safari
CVE-ID:  CVE-2007-4692
Available for:  Windows XP or Vista
Impact:  An issue in Safari Tabbed browsing may lead to the
disclosure of user credentials
Description:  An implementation issue exists in the Tabbed browsing
feature of Safari. If HTTP authentication is used by a site being
loaded in a tab other than the active tab, an authentication sheet
may be displayed although the tab and its corresponding page are not
visible. The user may consider the sheet to come from the currently
active page, which may lead to the disclosure of user credentials.
This update addresses the issue through improved handling of
authentication sheets. Credit to Michael Roitzsch of Technical
University Dresden for reporting this issue.

Safari
CVE-ID:  CVE-2007-1351, CVE-2007-1352, CVE-2007-2754
Available for:  Windows XP or Vista
Impact:  Multiple vulnerabilities in FreeType v2.2.1
Description:  Multiple vulnerabilities exist in FreeType v2.2.1, the
most serious of which may lead to arbitrary code execution. This
update addresses the issue by updating FreeType to version 2.3.5.
Further information is available via the FreeType site at
http://www.freetype.org/

WebCore
CVE-ID:  CVE-2007-3758
Available for:  Windows XP or Vista
Impact:  Visiting a malicious website may lead to cross-site
scripting
Description:  A cross-site scripting issue in Safari allows malicious
websites to set JavaScript window properties of websites served from
a different domain. By enticing a user to visit a maliciously crafted
web page, an attacker may be able to get or set the window status and
location of pages served from other websites. This update addresses
the issue by providing improved access controls on these properties.
Credit to Michal Zalewski of Google Inc. for reporting this issue.

WebCore
CVE-ID:  CVE-2007-3760
Available for:  Windows XP or Vista
Impact:  Visiting a malicious website may lead to cross-site
scripting
Description:  A cross-site scripting issue in Safari allows a
malicious website to bypass the same origin policy by hosting
embedded objects with javascript URLs. By enticing a user to visit a
maliciously crafted web page, an attacker may cause the execution of
JavaScript in the context of another site. This update addresses the
issue by restricting the use of the javascript URL scheme and adding
additional origin validation for these URLs. Credit to Michal
Zalewski of Google Inc. and Secunia Research for reporting this
issue.

WebCore
CVE-ID:  CVE-2007-3756
Available for:  Windows XP or Vista
Impact:  Visiting a malicious website may lead to the disclosure of
URL contents
Description:  Safari may allow a web page to read the URL that is
currently being viewed in its parent window. By enticing a user to
visit a maliciously crafted web page, an attacker may be able to
obtain the URL of an unrelated page. This update addresses the issue
through an improved cross-domain security check. Credit to Michal
Zalewski of Google Inc. and Secunia Research for reporting this
issue.

WebKit
CVE-ID:  CVE-2007-4671
Available for:  Windows XP or Vista
Impact:  JavaScript on websites may access or manipulate the contents
of documents served over HTTPS
Description:  An issue in Safari allows content served over HTTP to
alter or access content served over HTTPS in the same domain. By
enticing a user to visit a maliciously crafted web page, an attacker
may cause the execution of JavaScript in the context of HTTPS web
pages in that domain. This update addresses the issue by preventing
JavaScript access from HTTP to HTTPS frames. Credit to Keigo Yamazaki
of LAC Co., Ltd. (Little eArth Corporation Co., Ltd.) for reporting
this issue.

WebKit
CVE-ID:  CVE-2007-4698
Available for:  Windows XP or Vista
Impact:  Visiting a malicious website may lead to cross-site
scripting
Description:  Safari allows JavaScript events to be associated with
the wrong frame. By enticing a user to visit a maliciously crafted
web page, an attacker may cause the execution of JavaScript in the
context of another site. This update addresses the issue by
associating JavaScript events with the correct source frame.

WebKit
CVE-ID:  CVE-2007-4812
Available for:  Windows XP or Vista
Impact:  Visiting a malicious website may lead to arbitrary code
execution
Description:  A buffer overflow exists in Safari's handling of the
status bar. By enticing a user to visit a maliciously crafted web
page, an attacker may cause arbitrary code execution. This update
addresses the issue by re-implementing the status bar handling.

Safari 3 Beta Update 3.0.4 (Windows) is available via the Apple
Software Update application, or Apple's Safari download site at:
http://www.apple.com/safari/download/

Safari for Windows XP or Vista
The download file is named:  "SafariSetup.exe"
Its SHA-1 digest is:  54f68120298fd628255474d13e10562fcdbf2a14

Safari+QuickTime for Windows XP or Vista
The download file is named:  "SafariQuickTimeSetup.exe"
Its SHA-1 digest is:  a8afe488e2afcc8ccc9425792d5fc74ac9e25d10

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: 9.7.0.867

wsBVAwUBRztc8MgAoqu4Rp5tAQi2PQgAsBkFgf2vdsiiPOvdOLJ9kWiZaw9Q4lfd
V5ntJlzUR09257XFZWYckraUZXaeZkuBbcSZsrCijiZuk9vj7a5F5uw4nSAvT/hp
cNkPHd6GK5jYvyQVyrTOfFTRWwXQlNMN5UEZuS9puLZqUwDCVcoQGA/ex/qFsjH1
baR5Cl05StMdTN0KBhocY8HZNr+iWDEx57t1VdEyQVZqfImbxh94DmzKJ/EJhWZ8
tgi1EisLjMBnA/OlTDyScdCQTdJmXF4BRf+4/pCvJAJPWkLcRFV7GcE5Cby9RJK7
GYtjFV9GKuYiBNmX/Ku/C5y2KqfSXJqiSSHs7YkEGeURKuK4sbJLqw==
=iPVV
-----END PGP SIGNATURE-----

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC