SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Browser)  >   Apple Safari Vendors:   Apple Computer
Apple Safari Bug in PubSub May Let Remote Feeds Bypass the Cookie Blocking Mechanism
SecurityTracker Alert ID:  1023707
SecurityTracker URL:  http://securitytracker.com/id/1023707
CVE Reference:   CVE-2010-0044   (Links to External Site)
Updated:  Mar 12 2010
Original Entry Date:  Mar 12 2010
Impact:   Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 4.0.5
Description:   A vulnerability was reported in Apple Safari. A remote user can cause bypass the cookie blocking mechanism.

A remote user can create a specially crafted RSS or Atom feed that, when loaded by the target user, will cause a cookie to be set even if the browser is configured to block cookies via the "Accept Cookies" preference.

Impact:   A remote user can create a specially crafted RSS or Atom feed that, when loaded by the target user, will bypass the cookie blocking mechanism and cause a cookie to be set.
Solution:   The vendor has issued a fix (4.0.5), available via the Apple Software Update application, or Apple's Safari download site at:

http://www.apple.com/safari/download/

Safari for Mac OS X v10.6.1 to v10.6.3
The download file is named: Safari4.0.5SnowLeopard.dmg
Its SHA-1 digest is: b1b0c3510acf7144a6358b6e5667fb43aaa8a6b9

Safari for Mac OS X v10.5.7
The download file is named: Safari4.0.5Leopard.dmg
Its SHA-1 digest is: 1eccb97a78bac15277702642ed1330ad359205f7

Safari for Mac OS X v10.4.11
The download file is named: Safari4.0.5Tiger.dmg
Its SHA-1 digest is: 9f042b71a08d9c4be7f2dffa3de46622722893e4

Safari for Windows 7, Vista or XP
The download file is named: SafariSetup.exe
Its SHA-1 digest is: 8715db0cee7db82a91bb408e500d255c5d0cfe7c

Safari for Windows 7, Vista or XP from the Microsoft Choice Screen
The download file is named: Safari_Setup.exe
Its SHA-1 digest is: a25377f0febdb702dff1aac5475b113670fd0444

Safari+QuickTime for Windows 7, Vista or XP
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: 0109adc77d5814f39bb47348df1d3280f30fd397

The vendor's advisory will be available at:

http://support.apple.com/kb/HT4070

Vendor URL:  support.apple.com/kb/HT4070 (Links to External Site)
Cause:   Access control error
Underlying OS:   UNIX (OS X), Windows (7), Windows (Vista), Windows (XP)

Message History:   None.


 Source Message Contents

Date:  Fri, 12 Mar 2010 02:38:48 +0000
Subject:  Apple Safari


PubSub
CVE-ID:  CVE-2010-0044
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later,
Windows 7, Vista, XP
Impact:  Visiting or updating a feed may result in a cookie being
set, even if Safari is configured to block cookies
Description:  An implementation issue exists in the handling of
cookies set by RSS and Atom feeds. Visiting or updating a feed may
result in a cookie being set, even if Safari is configured to block
cookies via the "Accept Cookies" preference. This update addresses
the issue by respecting the preference while updating or viewing
feeds.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC