SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Apple Safari Vendors:   Apple
Apple Safari Bugs Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1024400
SecurityTracker URL:  http://securitytracker.com/id/1024400
CVE Reference:   CVE-2010-1805, CVE-2010-1806, CVE-2010-1807   (Links to External Site)
Date:  Sep 8 2010
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.x prior to 4.1.2, 5.0 prior to 5.0.2
Description:   Several vulnerabilities were reported in Apple Safari. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create a specially crafted file that, when opened by the target user via Safari in a directory that is writable by other users, may cause files in the directory to be executed by Safari [CVE-2010-1805]. Only Windows-based system are affected.

Simon Raner of ACROS Security reported this vulnerability.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a flaw in the processing of floating point data types and execute arbitrary code on the target system [CVE-2010-1807]. The code will run with the privileges of the target user.

Luke Wagner of Mozilla reported this vulnerability.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a use-after-free in WebKit in the processing of elements with run-in styling and execute arbitrary code on the target system [CVE-2010-1806].

wushi of team509 reported this vulnerability via TippingPoint's Zero Day Initiative reported this vulnerability.

Impact:   A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   The vendor has issued a fix (4.1.2, 5.0.2).

The vendor's advisory is available at:

http://support.apple.com/kb/HT4333

Vendor URL:  support.apple.com/kb/HT4333 (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (macOS/OS X), Windows (7), Windows (Vista), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  APPLE-SA-2010-09-07-1 Safari 5.0.2 and Safari 4.1.2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2010-09-07-1 Safari 5.0.2 and Safari 4.1.2

Safari 5.0.2 and Safari 4.1.2 is now available and addresses the
following:

Safari
CVE-ID:  CVE-2010-1805
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Opening a file in a directory that is writable by other
users may lead to arbitrary code execution
Description:  A search path issue exists in Safari. When displaying
the location of a downloaded file, Safari launches Windows Explorer
without specifying a full path to the executable. Launching Safari by
opening a file in a specific directory will include that directory in
the search path. Attempting to reveal the location of a downloaded
file may execute an application contained in that directory, which
may lead to arbitrary code execution. This issue is addressed by
using an explicit search path when launching Windows Explorer. This
issue does not affect Mac OS X systems. Credit to Simon Raner of
ACROS Security for reporting this issue.

WebKit
CVE-ID:  CVE-2010-1807
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later,
Windows 7, Vista, XP SP2 or later
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  An input validation issue exists in WebKit's handling
of floating point data types. Visiting a maliciously crafted website
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved validation of
floating point values. Credit to Luke Wagner of Mozilla for reporting
this issue.

WebKit
CVE-ID:  CVE-2010-1806
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later,
Windows 7, Vista, XP SP2 or later
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A use after free issue exists in WebKit's handling of
elements with run-in styling. Visiting a maliciously crafted website
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved handling of
object pointers. Credit to wushi of team509, working with
TippingPoint's Zero Day Initiative for reporting this issue.


Safari 5.0.2 and Safari 4.1.2 address the same set of security
issues. Safari 5.0.2 is provided for Mac OS X v10.5, Mac OS X v10.6,
and Windows systems. Safari 4.1.2 is provided for
Mac OS X v10.4 systems.

Safari 5.0.2 is available via the Apple Software Update
application, or Apple's Safari download site at:
http://www.apple.com/safari/download/

Safari 4.1.2 is available via the Apple Software Update
application, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

Safari for Mac OS X v10.6.2 and later
The download file is named: Safari5.0.2SnowLeopard.dmg
Its SHA-1 digest is: 695730a04038240c340571abf62c08f1ad5a8a5c

Safari for Mac OS X v10.5.8
The download file is named: Safari5.0.2Leopard.dmg
Its SHA-1 digest is: 3b71a553b53b8c22e0f4f21842f500ef5d6ed0e7

Safari for Mac OS X v10.4.11
The download file is named: Safari4.1.2Tiger.dmg
Its SHA-1 digest is: 35aafd64b4a74115469bc83dc390857b896197a3

Safari for Windows 7, Vista or XP
The download file is named: SafariSetup.exe
Its SHA-1 digest is: f15e3570e80a50abc0e200895d0b0492abc38386

Safari for Windows 7, Vista or XP from the Microsoft Choice Screen
The download file is named: Safari_Setup.exe
Its SHA-1 digest is: a3418d1a4199bcc308c059b7c2caf14a20277ebb

Safari+QuickTime for Windows 7, Vista or XP
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: 15f2482ace01924f89ded25f988458f58b5a4fa3

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)

iQEcBAEBAgAGBQJMhbnXAAoJEGnF2JsdZQeeugUH/ihdAan8r7j3tcrJv2JikiwP
NbrDVC6s4qLOiTYhp/VfTARZFZ45X/CIugZ00ddueEWUSY6GYNAoiNroECulxqww
bmWocP2xXOOqhYAq+DlJYSjrHzJEaoi4PZv5yPNbOVeWEFi07eniFAtH1K5uGSB4
FbWBamlU8RILVpGlktvfzYfx/nr9ztK/2Fe5wHgY9WTVVV3O++c2ov0dZsijlNXa
nu58p+/fS7dTDoFNK2JRNZaqTxnVgzKZ7aVrRCyeNaSFXuyDOj8QwF4shEc8iEiF
VDpwHyNI6o5qoeq98fqdGDv9dBv/+v+8aACWwfs5VUwnGAlA037xyKThByh8l2E=
=lBp9
-----END PGP SIGNATURE-----
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC