Date: 21 July 2011
References: ESB-2011.0799 ESB-2011.1026 ESB-2011.1033 ESB-2011.1032 ESB-2012.0053 ESB-2012.0114 ESB-2012.0415.4 ESB-2012.0677.3
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0749
Safari 5.1 and Safari 5.0.6
21 July 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Safari
Publisher: Apple
Operating System: Mac OS X
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2011-1797 CVE-2011-1774 CVE-2011-1462
CVE-2011-1457 CVE-2011-1453 CVE-2011-1451
CVE-2011-1449 CVE-2011-1296 CVE-2011-1295
CVE-2011-1293 CVE-2011-1288 CVE-2011-1204
CVE-2011-1203 CVE-2011-1190 CVE-2011-1188
CVE-2011-1121 CVE-2011-1117 CVE-2011-1115
CVE-2011-1114 CVE-2011-1109 CVE-2011-1107
CVE-2011-0983 CVE-2011-0981 CVE-2011-0255
CVE-2011-0254 CVE-2011-0253 CVE-2011-0244
CVE-2011-0242 CVE-2011-0241 CVE-2011-0240
CVE-2011-0238 CVE-2011-0237 CVE-2011-0235
CVE-2011-0234 CVE-2011-0233 CVE-2011-0232
CVE-2011-0225 CVE-2011-0223 CVE-2011-0222
CVE-2011-0221 CVE-2011-0219 CVE-2011-0218
CVE-2011-0217 CVE-2011-0216 CVE-2011-0215
CVE-2011-0214 CVE-2011-0206 CVE-2011-0204
CVE-2011-0202 CVE-2011-0201 CVE-2011-0200
CVE-2011-0195 CVE-2011-0164 CVE-2010-3829
CVE-2010-1823 CVE-2010-1420 CVE-2010-1383
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-07-20-1 Safari 5.1 and Safari 5.0.6
Safari 5.1 and Safari 5.0.6 are now available and address the
following:
CFNetwork
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: In certain situations, Safari may treat a file as HTML,
even if it is served with the 'text/plain' content type. This may
lead to a cross-site scripting attack on sites that allow untrusted
users to post text files. This issue is addressed through improved
handling of 'text/plain' content.
CVE-ID
CVE-2010-1420 : Hidetake Jo working with Microsoft Vulnerability
Research (MSVR), Neal Poole of Matasano Security
CFNetwork
Available for: Windows 7, Vista, XP SP2 or later
Impact: Authenticating to a maliciously crafted website may lead to
arbitrary code execution
Description: The NTLM authentication protocol is susceptible to a
replay attack referred to as credential reflection. Authenticating to
a maliciously crafted website may lead to arbitrary code execution.
To mitigate this issue, Safari has been updated to utilize protection
mechanisms recently added to Windows. This issue does not affect Mac
OS X systems.
CVE-ID
CVE-2010-1383 : Takehiro Takahashi of IBM X-Force Research
CFNetwork
Available for: Windows 7, Vista, XP SP2 or later
Impact: A root certificate that is disabled may still be trusted
Description: CFNetwork did not properly validate that a certificate
was trusted for use by a SSL server. As a result, if the user had
marked a system root certificate as not trusted, Safari would still
accept certificates signed by that root. This issue is addressed
through improved certificate validation. This issue does not affect
Mac OS X systems.
CVE-ID
CVE-2011-0214 : An anonymous reporter
ColorSync
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted image with an embedded
ColorSync profile may lead to an unexpected application termination
or arbitrary code execution
Description: An integer overflow existed in the handling of images
with an embedded ColorSync profile, which may lead to a heap buffer
overflow. Opening a maliciously crafted image with an embedded
ColorSync profile may lead to an unexpected application termination
or arbitrary code execution. For Mac OS X v10.5 systems, this issue
is addressed in Security Update 2011-004.
CVE-ID
CVE-2011-0200 : binaryproof working with TippingPoint's Zero Day
Initiative
CoreFoundation
Available for: Windows 7, Vista, XP SP2 or later
Impact: Applications that use the CoreFoundation framework may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: An off-by-one buffer overflow issue existed in the
handling of CFStrings. Applications that use the CoreFoundation
framework may be vulnerable to an unexpected application termination
or arbitrary code execution. For Mac OS X v10.6 systems, this issue
is addressed in Mac OS X v10.6.8.
CVE-ID
CVE-2011-0201 : Harry Sintonen
CoreGraphics
Available for: Windows 7, Vista, XP SP2 or later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow issue existed in the handling of
Type 1 fonts. Viewing or downloading a document containing a
maliciously crafted embedded font may lead to arbitrary code
execution. For Mac OS X v10.6 systems, this issue is addressed in Mac
OS X v10.6.8. For Mac OS X v10.5 systems, this issue is addressed in
Security Update 2011-004.
CVE-ID
CVE-2011-0202 : Cristian Draghici of Modulo Consulting, Felix Grobert
of the Google Security Team
International Components for Unicode
Available for: Windows 7, Vista, XP SP2 or later
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A buffer overflow issue existed in ICU's handling of
uppercase strings. Applications that use ICU may be vulnerable to an
unexpected application termination or arbitrary code execution. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
CVE-ID
CVE-2011-0206 : David Bienvenu of Mozilla
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of
TIFF images. Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
For Mac OS X v10.5 systems, this issue is addressed in Security
Update 2011-004.
CVE-ID
CVE-2011-0204 : Dominic Chell of NGS Secure
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of
CCITT Group 4 encoded TIFF images. Viewing a maliciously crafted TIFF
image may lead to an unexpected application termination or arbitrary
code execution.
CVE-ID
CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A reentrancy issue existed in ImageIO's handling of
TIFF images. Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution. This
issue does not affect Mac OS X systems.
CVE-ID
CVE-2011-0215 : Juan Pablo Lopez Yacubian working with iDefense VCP
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of
TIFF images. Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
For Mac OS X v10.5 systems, this issue is addressed in Security
Update 2011-004.
CVE-ID
CVE-2011-0204 : Dominic Chell of NGS Secure
libxslt
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of addresses on the heap
Description: libxslt's implementation of the generate-id() XPath
function disclosed the address of a heap buffer. Visiting a
maliciously crafted website may lead to the disclosure of addresses
on the heap. This issue is addressed by generating an ID based on the
difference between the addresses of two heap buffers. For Mac OS X
v10.6 systems, this issue is addressed in Mac OS X v10.6.8. For Mac
OS X v10.5 systems, this issue is addressed in Security Update
2011-004.
CVE-ID
CVE-2011-0195 : Chris Evans of the Google Chrome Security Team
libxml
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A one-byte heap buffer overflow existed in libxml's
handling of XML data. Visiting a maliciously crafted website may lead
to an unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2011-0216 : Billy Rios of the Google Security Team
Safari
Available for: Mac OS X v10.6.8 or later,
Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later
Impact: If the "AutoFill web forms" feature is enabled, visiting a
maliciously crafted website and typing may lead to the disclosure of
information from the user's Address Book
Description: Safari's "AutoFill web forms" feature filled in non-
visible form fields, and the information was accessible by scripts on
the site before the user submitted the form. This issue is addressed
by displaying all fields that will be filled, and requiring the
user's consent before AutoFill information is available to the form.
CVE-ID
CVE-2011-0217 : Florian Rienhardt of BSI, Alex Lambert, [Jeremiah
Grossman]
Safari
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: With a certain Java configuration, visiting a malicious
website may lead to unexpected text being displayed on other sites
Description: A cross origin issue existed in the handling of Java
Applets. This applies when Java is enabled in Safari, and Java is
configured to run within the browser process. Fonts loaded by a Java
applet could affect the display of text content from other sites.
This issue is addressed by running Java applets in a separate
process.
CVE-ID
CVE-2011-0219 : Joshua Smith of Kaon Interactive
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution.
CVE-ID
CVE-2010-1823 : David Weston of Microsoft and Microsoft Vulnerability
Research (MSVR), wushi of team509, and Yong Li of Research In Motion
Ltd
CVE-2011-0164 : Apple
CVE-2011-0218 : SkyLined of Google Chrome Security Team
CVE-2011-0221 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0222 : Nikita Tarakanov and Alex Bazhanyuk of the CISS
Research Team, and Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0223 : Jose A. Vazquez of spa-s3c.blogspot.com working with
iDefense VCP
CVE-2011-0225 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0232 : J23 working with TippingPoint's Zero Day Initiative
CVE-2011-0233 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-0234 : Rob King working with TippingPoint's Zero Day
Initiative, wushi of team509 working with TippingPoint's Zero Day
Initiative, wushi of team509 working with iDefense VCP
CVE-2011-0235 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0237 : wushi of team509 working with iDefense VCP
CVE-2011-0238 : Adam Barth of Google Chrome Security Team
CVE-2011-0240 : wushi of team509 working with iDefense VCP
CVE-2011-0253 : Richard Keen
CVE-2011-0254 : An anonymous researcher working with TippingPoint's
Zero Day Initiative
CVE-2011-0255 : An anonymous researcher working with TippingPoint's
Zero Day Initiative
CVE-2011-0981 : Rik Cabanier of Adobe Systems, Inc
CVE-2011-0983 : Martin Barbella
CVE-2011-1109 : Sergey Glazunov
CVE-2011-1114 : Martin Barbella
CVE-2011-1115 : Martin Barbella
CVE-2011-1117 : wushi of team509
CVE-2011-1121 : miaubiz
CVE-2011-1188 : Martin Barbella
CVE-2011-1203 : Sergey Glazunov
CVE-2011-1204 : Sergey Glazunov
CVE-2011-1288 : Andreas Kling of Nokia
CVE-2011-1293 : Sergey Glazunov
CVE-2011-1296 : Sergey Glazunov
CVE-2011-1449 : Marek Majkowski, wushi of team 509 working with
iDefense VCP
CVE-2011-1451 : Sergey Glazunov
CVE-2011-1453 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-1457 : John Knottenbelt of Google
CVE-2011-1462 : wushi of team509
CVE-2011-1797 : wushi of team509
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: A configuration issue existed in WebKit's use of
libxslt. Visiting a maliciously crafted website may lead to arbitrary
files being created with the privileges of the user, which may lead
to arbitrary code execution. This issue is addressed through improved
libxslt security settings.
CVE-ID
CVE-2011-1774 : Nicolas Gregoire of Agarri
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
information disclosure
Description: A cross-origin issue existed in the handling of Web
Workers. Visiting a maliciously crafted website may lead to an
information disclosure.
CVE-ID
CVE-2011-1190 : Daniel Divricean of divricean.ro
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of URLs
with an embedded username. Visiting a maliciously crafted website may
lead to a cross-site scripting attack. This issue is addressed
through improved handling of URLs with an embedded username.
CVE-ID
CVE-2011-0242 : Jobert Abma of Online24
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of DOM
nodes. Visiting a maliciously crafted website may lead to a cross-
site scripting attack.
CVE-ID
CVE-2011-1295 : Sergey Glazunov
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: A maliciously crafted website may be able to cause a
different URL to be shown in the address bar
Description: A URL spoofing issue existed in the handling of the DOM
history object. A maliciously crafted website may have been able to
cause a different URL to be shown in the address bar.
CVE-ID
CVE-2011-1107 : Jordi Chancel
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Subscribing to a maliciously crafted RSS feed and clicking
on a link within it may lead to an information disclosure
Description: A canonicalization issue existed in the handling of
URLs. Subscribing to a maliciously crafted RSS feed and clicking on a
link within it may lead to arbitrary files being sent from the user's
system to a remote server. This update addresses the issue through
improved handling of URLs.
CVE-ID
CVE-2011-0244 : Jason Hullinger
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Applications that use WebKit, such as mail clients, may
connect to an arbitrary DNS server upon processing HTML content
Description: DNS prefetching was enabled by default in WebKit.
Applications that use WebKit, such a s mail clients, may connect to
an arbitrary DNS server upon processing HTML content. This update
addresses the issue by requiring applications to opt in to DNS
prefetching.
CVE-ID
CVE-2010-3829 : Mike Cardwell of Cardwell IT Ltd.
Note: Safari 5.1 is included with OS X Lion.
Safari 5.1 and Safari 5.0.6 address the same set of security
issues. Safari 5.1 is provided for Mac OS X v10.6,
and Windows systems. Safari 5.0.6 is provided for
Mac OS X v10.5 systems.
Safari 5.1 is available via the Apple Software Update
application, or Apple's Safari download site at:
http://www.apple.com/safari/download/
Safari 5.0.6 is available via the Apple Software Update
application, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Safari for Mac OS X v10.6.8 and later
The download file is named: Safari5.1SnowLeopard.dmg
Its SHA-1 digest is: 2c3cef8e06c5aa586379b1a5fd5cf7b54e8acc24
Safari for Mac OS X v10.5.8
The download file is named: Safari5.0.6Leopard.dmg
Its SHA-1 digest is: ea970375d2116a7b74094a2a7669bebc306b6e6f
Safari for Windows 7, Vista or XP
The download file is named: SafariSetup.exe
Its SHA-1 digest is: d00b791c694b1ecfc22d6a1ec9aa21cc14fd8e36
Safari for Windows 7, Vista or XP from the Microsoft Choice Screen
The download file is named: Safari_Setup.exe
Its SHA-1 digest is: ccb3bb6b06468a430171d9f62708a1a6d917f45b
Safari+QuickTime for Windows 7, Vista or XP
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: 1273e0ee742a294d65e4f25a9b3e36f79fb517c9
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
iQEcBAEBAgAGBQJOJI45AAoJEGnF2JsdZQeezHQIALKZms5tzYgYxUSdxmo+DmYw
up9gAmEVcltZvCeVS1lUxfjqnRiGRSWyuou8Ynt9PfGQCz9GfLvzlrCHc5rsnKaD
MeYY1IH7lQc6aqmV0hwb4nUL5qJntP6G5Ai0E/0UiRQNC/ummS+qnmdsiFo78ODY
nKaB5cAWhqGHgOAPnUG0JwmxpYgR2HEtGYJSqlYykMwt1vnlAr5hHVNaUJcJ3Hlb
vesN6fB7zQMiJVo8+iJBixCvIYlbII5HnVAmD1ToyKgENg4Iguo46YBMVr8DPgF/
KD2s0+VF/O4utYVX0GiRGReVyq1PMvz/HI23ym8U3LjbezXD/AALQET0Q2hUEYQ=
=fOfF
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTie8pe4yVqjM2NGpAQIWeRAAmud0uyxW6KLrpZxzJ0q4KsiKIB/OQzF7
IpB6kqSWSFuNWNVZIzUnvYXFiXx8fwnVCVW4cbNHRWNRarFa0GgFALgZwY8cUrOq
FiyAVlvBGK5/W54Kl6/Iinlz7LaxX9kCID/G+y78I+bRmtA19PXZnPMQYbh4QfvJ
AMRgYEWhISOBckJ1YlZpugZchUm9Rx11+qLc43bNY2Jl9Rk38JuIJEfev0bS7UOk
0w7hxt5KiwZ05ZJS1SHoYGphzcPmh3BptJuay2SC95PzAmI8K1N9Xiq3uCiVE9S9
9C5dQL+l+PqA/RFIv0AGH77nGuowMnjekTbGsSs+OD4D2kZtgeB7qv6ue6t64evo
lof73AOoaRMpzHcOMyd2e0mp2KXqwE0c/MS8VMPrqzbHN0rFN1bGFm4Dt57A458Y
qptkwNPVHbR9gYccaHQvEeAiGApFwtwcYuaZ/xuIz4i+Md6PzT3+LfS5t5mMzVJy
9rDeE3VXfFmEhL8f7bBL8q81pSP+bQqsIhc67fqMIy9S2dnQP302vdUCMKlttN/M
QryGQvVTJs/Q39MdpQ5KJuCDlN39tePS4fKiTEHonrVnPHXRH/7grL/4JyAFjnrj
x/7U/hI1+7xVyoBf23P4KoqNGQgGd5niTGk1mmCwyz2LioAV0hURTDty4yD8rIFg
AzPJ2CelWG0=
=A8C/
-----END PGP SIGNATURE-----
|