SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Browser)  >   Apple Safari Vendors:   Apple Computer
Safari Multiple Input Validation and Processing Bugs Permit Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1019653
SecurityTracker URL:  http://securitytracker.com/id/1019653
CVE Reference:   CVE-2008-1001, CVE-2008-1002, CVE-2008-1003, CVE-2008-1004, CVE-2008-1006, CVE-2008-1007, CVE-2008-1008, CVE-2008-1009, CVE-2008-1011   (Links to External Site)
Date:  Mar 19 2008
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 3.1
Description:   Multiple vulnerabilities were reported in Safari. A remote user can conduct cross-site scripting attacks.

The software does not properly filter HTML code from user-supplied input before displaying or processing the input. A remote user can create a specially crafted URL or HTML content that, when loaded by a target user, will cause arbitrary scripting code to be executed. The code may run in the security context of an arbitrary site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, take actions on the site acting as the target user, or obtain elevated privileges.

The browser's error page is affected [CVE-2008-1001] on Windows XP and Vista. Robert Swiecki of Google Information Security Team reported this vulnerability.

The processing of 'javascript:' URLs is affected [CVE-2008-1002]. Robert Swiecki of Google Information Security Team reported this vulnerability.

The processing of pages that have the 'document.domain' property set is affected [CVE-2008-1003]. Adam Barth and Collin Jackson of Stanford University reported this vulnerability.

Web Inspector is affected [CVE-2008-1004]. Adam Barth and Collin Jackson of Stanford University reported this vulnerability.

The window.open() function is affected [CVE-2008-1006]. Adam Barth and Collin Jackson of Stanford University reported this vulnerability.

The frame navigation policy for Java applets is affected [CVE-2008-1007]. Adam Barth and Collin Jackson of Stanford University reported this vulnerability.

The processing of the 'document.domain' property is affected [CVE-2008-1008].

The processing of history objects is affected [CVE-2008-1009].

The processing of method instances in WebKit is affected [CVE-2008-1011]. David Bloom reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the arbitrary sites, access data recently submitted by the target user via web form to the site, take actions on the site acting as the target user, or obtain elevated privileges.
Solution:   The vendor has issued a fixed version (3.1), available via the Apple Software Update application or Apple's Safari download site at:

http://www.apple.com/safari/download/

Safari for Mac OS X v10.5.2
The download file is named: "Safari31UpdLeo.dmg"
Its SHA-1 digest is: db76743014600581d59c1be3b60f2d8edd3defcd

Safari for Mac OS X v10.4.11
The download file is named: "Safari31UpdTiger.dmg"
Its SHA-1 digest is: 567ef2be9bdba51c2cf86613958599123e5f45f1

Safari for Windows XP or Vista
The download file is named: "SafariSetup.exe"
Its SHA-1 digest is: 48f9bfd5145be9f8a9307ab3e83674df4799c763

Safari+QuickTime for Windows XP or Vista
The file is named: "SafariQuickTimeSetup.exe"
Its SHA-1 digest is: 2c35c091ba306ee59a3101f86899a310f55c385f

http://docs.info.apple.com/article.html?artnum=307563

Vendor URL:  docs.info.apple.com/article.html?artnum=307563 (Links to External Site)
Cause:   Input validation error
Underlying OS:   UNIX (OS X), Windows (Vista), Windows (XP)

Message History:   None.


 Source Message Contents

Date:  Tue, 18 Mar 2008 10:46:41 -0700
Subject:  APPLE-SA-2008-03-18 Safari 3.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2008-03-18 Safari 3.1

Safari 3.1 is now available and addresses the following issues:

Safari
CVE-ID:  CVE-2007-4680
Available for:  Windows XP or Vista
Impact:  A remote attacker may be able to cause an untrusted
certificate to appear trusted
Description:  An issue exists in the validation of certificates. A
man-in-the-middle attacker may be able to direct the user to a
legitimate site with a valid SSL certificate, then re-direct the user
to a spoofed web site that incorrectly appears to be trusted. This
could allow user credentials or other information to be collected.
This update addresses the issue through improved validation of
certificates. This issue is addressed for Mac OS X in Security Update
2007-008, and is incorporated into Mac OS X v10.4.11 and Mac OS X
v10.5 or later. Credit to Marko Karppinen, Petteri Kamppuri, and
Nikita Zhuk of MK&C for reporting this issue.

Safari
CVE-ID:  CVE-2008-0050
Available for:  Windows XP or Vista
Impact:  A malicious proxy server may spoof secure websites
Description:  A malicious HTTPS proxy server may return arbitrary
data to CFNetwork in a 502 Bad Gateway error, which could allow a
secure website to be spoofed. This update addresses the issue by
returning an error on any proxy error, instead of returning the
proxy-supplied data. This issue has already been addressed in Mac OS
X 10.5.2, and in Security Update 2008-002 for Mac OS X 10.4.11
systems.

Safari
CVE-ID:  CVE-2008-1001
Available for:  Windows XP or Vista
Impact:  Visiting a maliciously crafted website may result in cross-
site scripting
Description:  A cross-site scripting issue exists in Safari's error
page. By enticing a user to open a maliciously crafted URL, an
attacker may cause the disclosure of sensitive information. This
update addresses the issue by performing additional validation of
URLs. This issue does not affect Mac OS X systems. Credit to Robert
Swiecki of Google Information Security Team for reporting this issue.

Safari
CVE-ID:  CVE-2008-1002
Available for:  Mac OS X v10.4.11, Mac OS X v10.5.2,
Windows XP or Vista
Impact:  Visiting a maliciously crafted website may result in cross-
site scripting
Description:  A cross-site scripting issue exists in the processing
of javascript: URLs. Enticing a user to visit a maliciously crafted
web page could allow the execution of JavaScript in the context of
another site. This update addresses the issue by performing
additional validation of javascript: URLs. Credit to Robert Swiecki
of Google Information Security Team for reporting this issue.

WebCore
CVE-ID:  CVE-2008-1003
Available for:  Mac OS X v10.4.11, Mac OS X v10.5.2,
Windows XP or Vista
Impact:  Visiting a maliciously crafted website may result in cross-
site scripting
Description:  An issue exists with the handling of web pages that
have explicitly set the document.domain property. This could lead to
a cross-site scripting attack in sites that set the document.domain
property, or between HTTP and HTTPS sites with the same
document.domain. This update addresses the issue by improving same-
origin checks. Credit to Adam Barth and Collin Jackson of Stanford
University for reporting this issue.

WebCore
CVE-ID:  CVE-2008-1004
Available for:  Mac OS X v10.4.11, Mac OS X v10.5.2,
Windows XP or Vista
Impact:  Using Web Inspector on a maliciously crafted website may
result in cross-site scripting
Description:  An issue in Web Inspector allows a page being inspected
to escalate its privileges by injecting script that will run in other
domains and read the user's file system. This update addresses the
issue by preventing Javascript code on remote pages from being run.
Credit to Collin Jackson and Adam Barth of Stanford University for
reporting this issue.

WebCore
CVE-ID:  CVE-2008-1005
Available for:  Mac OS X v10.4.11, Mac OS X v10.5.2,
Windows XP or Vista
Impact:  Using Kotoeri reverse conversion on a password field
displays the password
Description:  The content of password fields on web pages is normally
hidden to guard against disclosing it to others with the ability to
see the display. An issue exists with the use of the Kotoeri input
method, which could result in exposing the password field content on
the display when reverse conversion is requested. This update
addresses the issue by no longer exposing the content of password
fields when using Kotoeri reverse conversion.

WebCore
CVE-ID:  CVE-2008-1006
Available for:  Mac OS X v10.4.11, Mac OS X v10.5.2,
Windows XP or Vista
Impact:  Visiting a maliciously crafted website may result in cross-
site scripting
Description:  The window.open() function may be used to change the
security context of a webpage to the caller's context. Enticing a
user to open a maliciously crafted page could allow an arbitrary
script to be executed in the user's security context. This update
addresses the issue by not allowing the security context to be
changed. Credit to Adam Barth and Collin Jackson of Stanford
University for reporting this issue.

WebCore
CVE-ID:  CVE-2008-1007
Available for:  Mac OS X v10.4.11, Mac OS X v10.5.2,
Windows XP or Vista
Impact:  Visiting a maliciously crafted website may result in cross-
site scripting using Java
Description:  The frame navigation policy is not enforced for Java
applets. By enticing a user to open a maliciously crafted web page,
an attacker may obtain elevated privileges through a cross-site
scripting attack using Java. This update addresses the issue by
enforcing the frame navigation policy for Java applets. Credit to
Adam Barth and Collin Jackson of Stanford University for reporting
this issue.

WebCore
CVE-ID:  CVE-2008-1008
Available for:  Mac OS X v10.4.11, Mac OS X v10.5.2,
Windows XP or Vista
Impact:  Visiting a maliciously crafted website may result in cross-
site scripting
Description:  A cross-site scripting issue exists in Safari's
handling of the document.domain property. Enticing a user to visit a
maliciously crafted web page may lead to the disclosure of sensitive
information. This update addresses the issue through additional
validation of the document.domain property.

WebCore
CVE-ID:  CVE-2008-1009
Available for:  Mac OS X v10.4.11, Mac OS X v10.5.2,
Windows XP or Vista
Impact:  Visiting a maliciously crafted website may result in cross-
site scripting
Description:  A JavaScript injection issue exists in the handling of
the history object. This may allow frames to set history object
properties in all other frames loaded from the same web page. An
attacker may leverage this issue to inject JavaScript that will run
in the context of other frames, resulting in cross-site scripting.
This update addresses the issue by no longer allowing webpages to
alter the history object.

WebKit
CVE-ID:  CVE-2008-1010
Available for:  Mac OS X v10.4.11, Mac OS X v10.5.2,
Windows XP or Vista
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow issue exists in WebKit's handling of
JavaScript regular expressions. Enticing a user to visit a
maliciously crafted webpage may lead to an unexpected application
termination or arbitrary code execution. This update addresses the
issue through improved bounds checking. Credit to Eric Seidel of the
WebKit Open Source Project, and Tavis Ormandy and Will Drewry of
Google Security Team for reporting this issue.

WebKit
CVE-ID:  CVE-2008-1011
Available for:  Mac OS X v10.4.11, Mac OS X v10.5.2,
Windows XP or Vista
Impact:  Visiting a maliciously crafted website may result in cross-
site scripting
Description:  A cross-site scripting issue in WebKit allows method
instances from one frame to be called in the context of another
frame. Enticing a user to visit a maliciously crafted web page may
lead to the disclosure of sensitive information. This update
addresses the issue through improved handling of cross-domain method
calls. Credit to David Bloom for reporting this issue.

Safari 3.1 is available via the Apple Software Update application,
or Apple's Safari download site at:
http://www.apple.com/safari/download/

Safari for Mac OS X v10.5.2
The download file is named:  "Safari31UpdLeo.dmg"
Its SHA-1 digest is:  db76743014600581d59c1be3b60f2d8edd3defcd

Safari for Mac OS X v10.4.11
The download file is named:  "Safari31UpdTiger.dmg"
Its SHA-1 digest is:  567ef2be9bdba51c2cf86613958599123e5f45f1

Safari for Windows XP or Vista
The download file is named:  "SafariSetup.exe"
Its SHA-1 digest is:  48f9bfd5145be9f8a9307ab3e83674df4799c763

Safari+QuickTime for Windows XP or Vista
The file is named:  "SafariQuickTimeSetup.exe"
Its SHA-1 digest is:  2c35c091ba306ee59a3101f86899a310f55c385f

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: 9.7.0.1012

wsBVAwUBR9//t8gAoqu4Rp5tAQiPGAgAqRnKv37i68VRJ4Bzm2Jy42zoRRLl/4oD
FxvrkNpAfZ0mAOdJxRCG65V6xFxgvOVlhyAWKFtI/F2dSQi7szdY+3tSlhsXoSE7
h9IXTkW5tal6TNTwG+GPD+C+cP8HEhVpgKLYq0vyBcj/8P8Ohc1XvFdglquZd2yZ
o+nqtWQdxhYgaP+uG2c2N5OD3g1d9qYqFIGgAwbvRs1x9LaE4iO2EuysDtHFjIkC
SMcUxXorOeXt/aNRQvl16aVEonXgZCQrLBlVa/uCtkOF5H9r3psNb9TiZnBpkdy0
NPkauIK6PLAcr74WSGzA4YjyeafTnKL/fpauGU/zs8LViAgPCP5Y1Q==
=BSPj
-----END PGP SIGNATURE-----

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC