SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Browser)  >   Apple Safari Vendors:   Apple Computer
Apple Safari Bugs Let Remote Users Cause Arbitrary Code to Be Executed
SecurityTracker Alert ID:  1023706
SecurityTracker URL:  http://securitytracker.com/id/1023706
CVE Reference:   CVE-2010-0040, CVE-2010-0041, CVE-2010-0042, CVE-2010-0043, CVE-2010-0045   (Links to External Site)
Updated:  Mar 12 2010
Original Entry Date:  Mar 12 2010
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 4.0.5
Description:   Several vulnerabilities were reported in Apple Safari. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create a specially crafted file or HTML page that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with the privileges of the target user.

A specially crafted image with an embedded color profile can trigger a heap overflow [CVE-2010-0040]. Sebastien Renaud of VUPEN Vulnerability Research Team reported this vulnerability.

A specially crafted BMP image can cause the target user's browser to send portions of memory on the target user's system to the remote site [CVE-2010-0041]. Matthew 'j00ru' Jurczyk of Hispasec reported this vulnerability.

A specially crafted TIFF image file can cause the target user's browser to send portions of memory on the target user's system to the remote site [CVE-2010-0042]. Matthew 'j00ru' Jurczyk of Hispasec reported this vulnerability.

A specially crafted TIFF image file can trigger a memory corruption error and execute arbitrary code [CVE-2010-0043]. Gus Mueller of Flying Meat reported this vulnerability.

A specially crafted external URL can cause a file on the target user's system to be opened [CVE-2010-0045]. Billy Rios and Microsoft Vulnerability Research (MSVR) reported this vulnerability.

Impact:   A remote user can create a file or web page that, when loaded by the target user, will execute arbitrary code on the target user's system or disclose memory contents.
Solution:   The vendor has issued a fix (4.0.5), available at:

http://www.apple.com/safari/download/

Safari for Windows 7, Vista or XP
The download file is named: SafariSetup.exe
Its SHA-1 digest is: 8715db0cee7db82a91bb408e500d255c5d0cfe7c

Safari for Windows 7, Vista or XP from the Microsoft Choice Screen
The download file is named: Safari_Setup.exe
Its SHA-1 digest is: a25377f0febdb702dff1aac5475b113670fd0444

Safari+QuickTime for Windows 7, Vista or XP
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: 0109adc77d5814f39bb47348df1d3280f30fd397

The vendor's advisory will available at:

http://support.apple.com/kb/HT4070

Vendor URL:  support.apple.com/kb/HT4070 (Links to External Site)
Cause:   Access control error, Boundary error
Underlying OS:   Windows (7), Windows (Vista), Windows (XP)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 31 2010 (Apple Issues Fix for iTunes) Apple Safari Bugs Let Remote Users Cause Arbitrary Code to Be Executed
Apple has issued a fix for iTunes for Windows.



 Source Message Contents

Date:  Thu, 11 Mar 2010 13:53:30 -0800
Subject:  APPLE-SA-2010-03-11-1 Safari 4.0.5

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2010-03-11-1 Safari 4.0.5

Safari 4.0.5 is now available and addresses the following:

ColorSync
CVE-ID:  CVE-2010-0040
Available for:  Windows 7, Vista, XP
Impact:  Viewing a maliciously crafted image with an embedded color
profile may lead to an unexpected application termination or
arbitrary code execution
Description:  An integer overflow, that could result in a heap buffer
overflow, exists in the handling of images with an embedded color
profile. Opening a maliciously crafted image with an embedded color
profile may lead to an unexpected application termination or
arbitrary code execution. The issue is addressed by performing
additional validation of color profiles. This issue does not affect
Mac OS X systems. Credit to Sebastien Renaud of VUPEN Vulnerability
Research Team for reporting this issue.

ImageIO
CVE-ID:  CVE-2009-2285
Available for:  Windows 7, Vista, XP
Impact:  Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer underflow exists in ImageIO's handling of TIFF
images. Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved bounds checking. For Mac OS X
v10.6 systems, this issue is addressed in Mac OS X v10.6.2. For Mac
OS X v10.5 systems, this issue is addressed in Security Update
2010-001.

ImageIO
CVE-ID:  CVE-2010-0041
Available for:  Windows 7, Vista, XP
Impact:  Visiting a maliciously crafted website may result in sending
data from Safari's memory to the website
Description:  An uninitialized memory access issue exists in
ImageIO's handling of BMP images. Visiting a maliciously crafted
website may result in sending data from Safari's memory to the
website. This issue is addressed through improved memory handling and
additional validation of BMP images. Credit to Matthew 'j00ru'
Jurczyk of Hispasec for reporting this issue.

ImageIO
CVE-ID:  CVE-2010-0042
Available for:  Windows 7, Vista, XP
Impact:  Visiting a maliciously crafted website may result in sending
data from Safari's memory to the website
Description:  An uninitialized memory access issue exists in
ImageIO's handling of TIFF images. Visiting a maliciously crafted
website may result in sending data from Safari's memory to the
website. This issue is addressed through improved memory handling and
additional validation of TIFF images. Credit to Matthew 'j00ru'
Jurczyk of Hispasec for reporting this issue.

ImageIO
CVE-ID:  CVE-2010-0043
Available for:  Windows 7, Vista, XP
Impact:  Processing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue exists in the handling of
TIFF images. Processing a maliciously crafted TIFF image may lead to
an unexpected application termination or arbitrary code execution.
This issue is addressed through improved memory handling. Credit to
Gus Mueller of Flying Meat for reporting this issue.

PubSub
CVE-ID:  CVE-2010-0044
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later,
Windows 7, Vista, XP
Impact:  Visiting or updating a feed may result in a cookie being
set, even if Safari is configured to block cookies
Description:  An implementation issue exists in the handling of
cookies set by RSS and Atom feeds. Visiting or updating a feed may
result in a cookie being set, even if Safari is configured to block
cookies via the "Accept Cookies" preference. This update addresses
the issue by respecting the preference while updating or viewing
feeds.

Safari
CVE-ID:  CVE-2010-0045
Available for:  Windows 7, Vista, XP
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  An issue in Safari's handling of external URL schemes
may cause a local file to be opened in response to a URL encountered
on a web page. Visiting a maliciously crafted website may lead to
arbitrary code execution. This update addresses the issue through
improved validation of external URLs. This issue does not affect Mac
OS X systems. Credit to Billy Rios and Microsoft Vulnerability
Research (MSVR) for reporting this issue.

WebKit
CVE-ID:  CVE-2010-0046
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later,
Windows 7, Vista, XP
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue exists in WebKit's handling
of CSS format() arguments. Visiting a maliciously crafted website may
lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved handling of CSS
format() arguments. Credit to Robert Swiecki of Google Inc. for
reporting this issue.

WebKit
CVE-ID:  CVE-2010-0047
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later,
Windows 7, Vista, XP
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A use-after-free issue exists in the handling of HTML
object element fallback content. Visiting a maliciously crafted
website may lead to an unexpected application termination or
arbitrary code execution. This issue is addressed through improved
memory reference tracking. Credit to wushi of team509, working with
TippingPoint's Zero Day Initiative for reporting this issue.

WebKit
CVE-ID:  CVE-2010-0048
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later,
Windows 7, Vista, XP
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A use-after-free issue exists in WebKit's parsing of
XML documents. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution. This
issue is addressed through improved memory reference tracking.

Webkit
CVE-ID:  CVE-2010-0049
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later,
Windows 7, Vista, XP
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A use-after-free issue exists in the handling of HTML
elements containing right-to-left displayed text. Visiting a
maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed
through improved memory reference tracking. Credit to wushi&Z of
team509 for reporting this issue.

WebKit
CVE-ID:  CVE-2010-0050
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later,
Windows 7, Vista, XP
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A use-after-free issue exists in WebKit's handling of
incorrectly nested HTML tags. Visiting a maliciously crafted website
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved memory reference
tracking. Credit to wushi&Z of team509 working with TippingPoint's
Zero Day Initiative for reporting this issue.

WebKit
CVE-ID:  CVE-2010-0051
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later,
Windows 7, Vista, XP
Impact:  Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description:  An implementation issue exists in WebKit's handling of
cross-origin stylesheet requests. Visiting a maliciously crafted
website may disclose the content of protected resources on another
website. This update addresses the issue by performing additional
validation on stylesheets that are loaded during a cross-origin
request.

WebKit
CVE-ID:  CVE-2010-0052
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later,
Windows 7, Vista, XP
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A use-after-free issue exists in WebKit's handling of
callbacks for HTML elements. Visiting a maliciously crafted website
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved memory reference
tracking. Credit: Apple.

WebKit
CVE-ID:  CVE-2010-0053
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later,
Windows 7, Vista, XP
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A use-after-free issue exists in the rendering of
content with a CSS display property set to 'run-in'. Visiting a
maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed
through improved memory reference tracking. Credit to wushi of
team509, working with TippingPoint's Zero Day Initiative for
reporting this issue.

WebKit
CVE-ID:  CVE-2010-0054
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later,
Windows 7, Vista, XP
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A use-after-free issue exists in WebKit's handling of
HTML image elements. Visiting a maliciously crafted website may lead
to an unexpected application termination or arbitrary code execution.
This issue is addressed through improved memory reference tracking.
Credit: Apple.


Safari 4.0.5 is available via the Apple Software Update application,
or Apple's Safari download site at:
http://www.apple.com/safari/download/

Safari for Mac OS X v10.6.1 to v10.6.3
The download file is named: Safari4.0.5SnowLeopard.dmg
Its SHA-1 digest is: b1b0c3510acf7144a6358b6e5667fb43aaa8a6b9

Safari for Mac OS X v10.5.7
The download file is named: Safari4.0.5Leopard.dmg
Its SHA-1 digest is: 1eccb97a78bac15277702642ed1330ad359205f7

Safari for Mac OS X v10.4.11
The download file is named: Safari4.0.5Tiger.dmg
Its SHA-1 digest is: 9f042b71a08d9c4be7f2dffa3de46622722893e4

Safari for Windows 7, Vista or XP
The download file is named: SafariSetup.exe
Its SHA-1 digest is: 8715db0cee7db82a91bb408e500d255c5d0cfe7c

Safari for Windows 7, Vista or XP from the Microsoft Choice Screen
The download file is named: Safari_Setup.exe
Its SHA-1 digest is: a25377f0febdb702dff1aac5475b113670fd0444

Safari+QuickTime for Windows 7, Vista or XP
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: 0109adc77d5814f39bb47348df1d3280f30fd397

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)

iQEcBAEBAgAGBQJLmDYnAAoJEHkodeiKZIkBmwYIAKPUSFMTzLS2PQUlJuccZ8pW
5cDDqOwHF53JyzMd0PSkZAhVBpI4BLqW13/Q46MnKvdI2zMyyhEUIDlpgWDjkRl9
C9YzLNcPzWdjsW78M7h7983m9HvcaCA6t95Yea8mbb267ZjAQ1uJrxaShp9VBnpL
E4lehNNyMqorfOxbgSaXiiZioAy5huW5DQuD5vwYXtJEkqHKI1qc1ULeayB5JTVP
WR//jxMs45GsnxnQ2qPJaZqwdsdbsVV7YE+LxhexmpgRqXf0iKb5hMx5C1lgnUaq
R3F0oW/Ui5hhaDcJV98/+qM51MyVmRu9NDYUl0tyTXYTHUaJ/BKZ3sV8pxfTEaU=
=WK6F
-----END PGP SIGNATURE-----
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC