SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Browser)  >   Apple Safari Vendors:   Apple Computer
Apple Safari Buffer Overflows Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1022717
SecurityTracker URL:  http://securitytracker.com/id/1022717
CVE Reference:   CVE-2009-2195, CVE-2009-2468   (Links to External Site)
Date:  Aug 11 2009
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 4.0.3
Description:   Two vulnerabilities were reported in Apple Safari. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a buffer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target user.

On Windows-based systems, specially crafted long text strings can trigger a heap overflow in CoreGraphics [CVE-2009-2468]. Will Drewry of Google Inc reported this vulnerability.

Specially crafted floating point numbers can trigger a buffer overflow in WebKit [CVE-2009-2195]. The vendor discovered this vulnerability.

Impact:   A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   The vendor has issued a fix (4.0.3), available via the Apple Software Update application, or Apple's Safari download site at:

http://www.apple.com/safari/download/

Safari for Mac OS X v10.5.7 and Mac OS X v10.5.8
The download file is named: Safari4.0.3Leo.dmg
Its SHA-1 digest is: 9b04a33efe6b44083b064dda990b0174402ce107

Safari for Mac OS X v10.4.11
The download file is named: Safari4.0.3Ti.dmg
Its SHA-1 digest is: 9a5532516d3a74a2bd65cc007db683b85e3475d7

Safari for Windows XP or Vista
The download file is named: SafariSetup.exe
Its SHA-1 digest is: 24486c2a3089cf0b61b50e4a75ec5f53d9c08f4f

Safari+QuickTime for Windows XP or Vista
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: 61c0e163fef26c8580297d30e6c04af7a2548038

The vendor's advisory will be available at:

http://support.apple.com/kb/HT1222

Vendor URL:  support.apple.com/kb/HT1222 (Links to External Site)
Cause:   Boundary error
Underlying OS:   UNIX (OS X), Windows (Vista), Windows (XP)

Message History:   None.


 Source Message Contents

Date:  Tue, 11 Aug 2009 13:33:50 -0700
Subject:  APPLE-SA-2009-08-11-1 Safari 4.0.3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2009-08-11-1 Safari 4.0.3

Safari 4.0.3 is now available and addresses the following:

CoreGraphics
CVE-ID:  CVE-2009-2468
Available for:  Windows XP and Vista
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow exists in the drawing of long
text strings. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This
update addresses the issue through improved bounds checking. Credit
to Will Drewry of Google Inc for reporting this issue.

ImageIO
CVE-ID:  CVE-2009-2188
Available for:  Windows XP and Vista
Impact:  Viewing a maliciously crafted image may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow exists in the handling of EXIF
metadata. Viewing a maliciously crafted image may lead to an
unexpected application termination or arbitrary code execution. This
update addresses the issue through improved bounds checking.

Safari
CVE-ID:  CVE-2009-2196
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8,
Mac OS X Server v10.5.8, Windows XP and Vista
Impact:  A maliciously crafted website may be promoted into Safari's
Top Sites view
Description:  Safari 4 introduced the Top Sites feature to provide an
at-a-glance view of a user's favorite websites. It is possible for a
malicious website to promote arbitrary sites into the Top Sites view
through automated actions. This could be used to facilitate a
phishing attack.
This issue is addressed by preventing automated website visits
from affecting the Top Sites list. Only websites that the
user visits manually can be included in the Top Sites list. As a
note, Safari enables fraudulent site detection by default. Since the
introduction of the Top Sites feature, fraudulent sites are not
displayed in the Top Sites view. Credit to Inferno of
SecureThoughts.com for reporting this issue.

WebKit
CVE-ID:  CVE-2009-2195
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8,
Mac OS X Server v10.5.8, Windows XP and Vista
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow exists in WebKit's parsing of
floating point numbers. Visiting a maliciously crafted website may
lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved bounds
checking. Credit: Apple.

WebKit
CVE-ID:  CVE-2009-2200
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8,
Mac OS X Server v10.5.8, Windows XP and Vista
Impact:  Visiting a maliciously crafted website and clicking "Go"
when viewing a malicious plug-in dialog may lead to the disclosure of
sensitive information
Description:  WebKit allows the pluginspage attribute of the 'embed'
element to reference file URLs. Clicking "Go" in the dialog that
appears when an unknown plug-in type is referenced will redirect to
the URL listed in the pluginspage attribute. This may allow a remote
attacker to launch file URLs in Safari, and lead to the disclosure of
sensitive information. This update addresses the issue by restricting
the pluginspage URL scheme to http or https. Credit to Alexios Fakos
of n.runs AG for reporting this issue.

WebKit
CVE-ID:  CVE-2009-2199
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8,
Mac OS X Server v10.5.8, Windows XP and Vista
Impact:  Look-alike characters in a URL could be used to masquerade a
website
Description:  The International Domain Name (IDN) support and Unicode
fonts embedded in Safari could be used to create a URL which contains
look-alike characters. These could be used in a malicious website to
direct the user to a spoofed site that visually appears to be a
legitimate domain. This update addresses the issue by supplementing
WebKit's list of known look-alike characters. Look-alike characters
are rendered in Punycode in the address bar. Credit to Chris Weber of
Casaba Security, LLC for reporting this issue.


Safari 4.0.3 is available via the Apple Software Update application,
or Apple's Safari download site at:
http://www.apple.com/safari/download/

Safari for Mac OS X v10.5.7 and Mac OS X v10.5.8
The download file is named: Safari4.0.3Leo.dmg
Its SHA-1 digest is: 9b04a33efe6b44083b064dda990b0174402ce107

Safari for Mac OS X v10.4.11
The download file is named: Safari4.0.3Ti.dmg
Its SHA-1 digest is: 9a5532516d3a74a2bd65cc007db683b85e3475d7

Safari for Windows XP or Vista
The download file is named: SafariSetup.exe
Its SHA-1 digest is: 24486c2a3089cf0b61b50e4a75ec5f53d9c08f4f

Safari+QuickTime for Windows XP or Vista
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: 61c0e163fef26c8580297d30e6c04af7a2548038

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)

iQEcBAEBAgAGBQJKgbZ0AAoJEHkodeiKZIkBLWwIALn35RpygbXlkkNzwCt776Kf
yPIRqfpe9K9hYwQwsV/5+Cu/Kcf9Jh72E3xRCtsSPFGSoqClK6VommAwtReBeaXR
QXJj2OoxyX7IjestI5I2hL5ayUK+So78Pn3KQ8TdrJliak5Cba9Gh9DLye+23n8w
d2Nb9MbOMz6O6ad9rpa7r/BVIRT32sJb7CZHGYQkvSy/kKILWMoEfeTagLcoo9SO
a30uGIoUq9i/qZ7KpcobGfd9KOSLfftkpznL/0acvNgD4XGe3xXt6Gr8PS2RTXJe
6TWm5emYAHvnMOhcDtjsNi8cR7Yrtsoc6/T971AJ+hJRn6I713rXGUBnVrC1Qks=
=RWfC
-----END PGP SIGNATURE-----
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC