Apple Safari Lets Local Users Access Files During Downloading
|
|
SecurityTracker Alert ID: 1022342 |
|
SecurityTracker URL: http://securitytracker.com/id/1022342
|
|
CVE Reference:
CVE-2009-1716
(Links to External Site)
|
Date: Jun 8 2009
|
Impact:
Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 4.0
|
Description:
A vulnerability was reported in Apple Safari. A local user can access files being downloaded by other users.
The CFNetwork component creates insecure temporary files when downloading files. A local user can view files being downloaded by other users on the target system.
Billy Rios and Microsoft Vulnerability Research reported this vulnerability.
[Editor's note: This vulnerability was corrected on Mac OS X in version 10.5.6.]
|
Impact:
A local user can access files being downloaded by other users.
|
Solution:
The vendor has issued a fix (4.0), available via the Apple Software Update application, or Apple's Safari download site at:
http://www.apple.com/safari/download/
Safari for Mac OS X v10.5.7
The download file is named: Safari4.0Leo.dmg
Its SHA-1 digest is: 9b18e8dad3b3acd91b7d4208f295422bf8e735ed
Safari for Mac OS X v10.4.11
The download file is named: Safari4.0Ti.dmg
Its SHA-1 digest is: c5298f24aa9c824a930ba3656487687630d2420a
Safari for Windows XP or Vista
The download file is named: SafariSetup.exe
Its SHA-1 digest is: 46951d6c13bf847a54d033cec2cdf3383e31d1e1
Safari+QuickTime for Windows XP or Vista
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: 6c421eb66d521dd03744f76c7e44a40d132379fc
|
Vendor URL: www.apple.com/safari (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
UNIX (OS X), Windows (Vista), Windows (XP)
|
|
Message History:
None.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
