SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Apple Safari Vendors:   Apple
Apple Safari Bugs Let Remote Users Spoof Content and Obtain Potentially Sensitive Information
SecurityTracker Alert ID:  1041661
SecurityTracker URL:  http://securitytracker.com/id/1041661
CVE Reference:   CVE-2018-4195, CVE-2018-4307, CVE-2018-4329   (Links to External Site)
Date:  Sep 17 2018
Impact:   Disclosure of system information, Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 12.0
Description:   Several vulnerabilities were reported in Apple Safari. A remote user can obtain potentially sensitive information on the target system. A remote user can spoof content.

A remote user can create specially crafted web content that, when loaded by the target user, will access potentially sensitive auto-filled information from the target user's system [CVE-2018-4307]

A user may be unable to delete certain browser redirect chains from browser history [CVE-2018-4329].

A remote user can create a specially crafted link that, when loaded by the target user, will spoof user interface content [CVE-2018-4195].

xisigr of Tencent's Xuanwu Lab (www.tencent.com), Rafay Baloch of Pakistan Telecommunications Authority, and Hugo S. Diaz (coldpointblue) reported these vulnerabilities.

Impact:   A remote user can obtain potentially sensitive information on the target system.

A remote user can spoof content.

Solution:   The vendor has issued a fix (12.0).

The vendor advisory is available at:

https://support.apple.com/en-us/HT209109

Vendor URL:  support.apple.com/en-us/HT209109 (Links to External Site)
Cause:   Access control error
Underlying OS:  UNIX (macOS/OS X)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 17 2018 (Apple Issues Fix for Apple iOS) Apple Safari Bugs Let Remote Users Spoof Content and Obtain Potentially Sensitive Information
Apple has issued a fix for Apple iOS.



 Source Message Contents

Subject:  [FD] APPLE-SA-2018-9-17-4 Safari 12

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2018-9-17-4 Safari 12

Safari 12 is now available and addresses the following:

Safari
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14
Impact: A malicious website may be able to exfiltrate autofilled data
in Safari
Description: A logic issue was addressed with improved state
management.
CVE-2018-4307: Rafay Baloch of Pakistan Telecommunications Authority

Safari
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14
Impact: A user may be unable to delete browsing history items
Description: Clearing a history item may not clear visits with
redirect chains. The issue was addressed with improved data deletion.
CVE-2018-4329: Hugo S. Diaz (coldpointblue)

Safari
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS
Mojave 10.14
Impact: Visiting a malicious website by clicking a link may lead to
user interface spoofing
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2018-4195: xisigr of Tencent's Xuanwu Lab (www.tencent.com)

Installation note:

Safari 12 may be obtained from the Mac App Store.

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlud5zQACgkQeC9tht7T
K3Hd8A//dQTRkRdIEf2iYyfO6Sid5H1WSndQE5NmI9PlnBz/asdyJtHL+XDGeCE9
1qjl/lzub/QRIne0oxxz3b1k8yFWhTz8NgiyGMdL/FLKqyGkO4oxLYCN0k1la9RE
1tTfV48Pj7naVJePC6latzc3Ll/9oBqmkHDqckpEJcBDI0ziLk20mY9MK9/aQkhc
eFdHtbODaIKq1CKCCkoZL/ZiL3sKmxdSXoO658+eBt0Wj1KmNe1mcWZ5IpYpxXFU
bzC1QDWYV8b3763z/chb6YUljZzZ2w0IZvZr+GPRrC6nR0ozGlGzZsjvQZIXUcOb
tqrGkz34NLHi/M0ygvQ4ztKmycieQb6UqdhsrJtd5OKZlYqQc9aMq250Ft/Lkl+7
+u5nJfsAv8YWG8SJxcKmc8Kx1AgvRmkvgLmiMIh8pKox5NdzkuIYM7Lst3Eg9s5b
NG++c7VT7SKnFiYj524PuwJw1W2n6CknZgBqq2XylrUo8ceeC3oV8T4ltCXK2thS
eeV74ltadfPLnPfemxy5az4BC2hSqkpp7QhNOKik25O0fzd2bgt1Xt2SH8YjcZqv
08Mjtf6WXj6yrLu2Ym0J4DLg2cTKPjsxF6lNIUOrkPNYbclfQDYkSiT4oEnt16+H
J/XEr6lVa4BdvwSxZF76HSgvB6BaZefc31Sz3gdk96TkRfgIkRc=
=0eDn
-----END PGP SIGNATURE-----


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC