AusCERT - ESB-2012.0459 - [Win][Mac][OSX] Safari: Multiple vulnerabilities

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2012.0459 - [Win][Mac][OSX] Safari: Multiple vulnerabilities
Date: 10 May 2012
References: ASB-2012.0034 ASB-2012.0040 ESB-2012.0436 ESB-2012.0529

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0459
                    APPLE-SA-2012-05-09-2 Safari 5.1.7
                                10 May 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Safari
Publisher:        Apple
Operating System: Mac OS X
                  Windows
Impact/Access:    Execute Arbitrary Code/Commands -- Remote with User Interaction
                  Cross-site Scripting            -- Remote with User Interaction
                  Denial of Service               -- Remote with User Interaction
                  Provide Misleading Information  -- Remote with User Interaction
Resolution:       Patch/Upgrade
CVE Names:        CVE-2012-0676 CVE-2012-0672 CVE-2011-3056
                  CVE-2011-3046  

Reference:        ASB-2012.0040
                  ASB-2012.0034
                  ESB-2012.0436

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2012-05-09-2 Safari 5.1.7

Safari 5.1.7 is now available and addresses the following:

WebKit
Available for:  Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.4, OS X Lion Server v10.7.4, Windows 7, Vista,
XP SP2 or later
Impact:  Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description:  Multiple cross-site scripting issues existed in WebKit.
CVE-ID
CVE-2011-3046 : Sergey Glazunov working with Google's Pwnium contest
CVE-2011-3056 : Sergey Glazunov

WebKit
Available for:  Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.4, OS X Lion Server v10.7.4, Windows 7, Vista,
XP SP2 or later
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue existed in WebKit.
CVE-ID
CVE-2012-0672 : Adam Barth and Abhishek Arya of the Google Chrome
Security Team

WebKit
Available for:  Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.4, OS X Lion Server v10.7.4, Windows 7, Vista,
XP SP2 or later
Impact:  A maliciously crafted website may be able to populate form
inputs on another website with arbitrary values
Description:  A state tracking issue existed in WebKit's handling of
forms.
CVE-ID
CVE-2012-0676 : Andreas Akre Solberg of UNINETT AS, Aaron Roots of
Deakin University ITSD, Tyler Goen

Note: In addition, this update disables Adobe Flash Player if it
is older than 10.1.102.64 by moving its files to a new directory.
This update presents the option to install an updated version of
Flash Player from the Adobe website.


Safari 5.1.7 is available via the Apple Software Update
application, or Apple's Safari download site at:
http://www.apple.com/safari/download/

Safari for OS X Lion v10.7.4
The download file is named: Safari5.1.7LionManual.dmg
Its SHA-1 digest is: 5024eb2e358feb6b87d6eff15438bf7ae99619b4

Safari for Mac OS X v10.6.8
The download file is named: Safari5.1.7SnowLeopardManual.dmg
Its SHA-1 digest is: 32d1dca993b455bc5c230caef95ab70c702e6fee

Safari for Windows 7, Vista or XP
The download file is named: SafariSetup.exe
Its SHA-1 digest is: f601df0106987bfffc3f22b046ba835e4f8d29c6

Safari for Windows 7, Vista or XP from the Microsoft Choice Screen
The download file is named: Safari_Setup.exe
Its SHA-1 digest is: 193eaddae1d25dd1b0f8786a810de083fc9280b0

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iQEcBAEBAgAGBQJPqtgCAAoJEGnF2JsdZQeeIvQIAIIbdrlsjYRAiMAEK/o4QwkF
M4EIDhqpDPnjDFBcT39vqapEPt4btYp0x+464bNRyU9ex4bY7NGPzaKTS/bdcnXJ
BbpmR8rFluCRZ3AIyFSYPvKImsoyp5IZ91lTIxes1E4j+ed1diXEpLlt8Pp4K3Fc
w2hao+KBKYCUKcjy49whKC0+6jnQWPoP7lPl9gjVyM/fky4K2J/F2c2saXHTDS9l
L3CU4+0jA6INzY2NN2j3jdSZgglLgRcDvF3dAriNhW0Wlyd6ucuTxULbC1cS0mRs
w4stMTnMzdgKsy13kE2tBQAf3rguM1PzlJAlOZMw9Ad/O6lU+8uaJ8AmBygVpq4=
=x2Jz
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT6shr+4yVqjM2NGpAQJKHxAAkWnifGTPh5rtr/Fm3bGKzU9XfZMyJtlj
pUVU8MY8vlMaZBoEBKLOVpUcW7j8roeGRkHjthKNpCTNH5sWdOnRhml31mBkWHqC
aNYrwEzeVqKahzcbN/+vUQDGtdmihW761ZMSg+n5LGtgnWfjv10CuE1PFk6G2z/I
IeB94vgZraiLKW+6quqpZN/o8l7H0hxCPQdT3j1lAHet1WDhAqzG0h+ii8jZBhOk
P/0xvhIVHRqVDNJZAXen+48+QRKkl8JI0NHQzbRFtQTzqqb3DbN7ejhEjUi3A6uM
003Dd1euPuJHMGkAHEgHDvOCTZsUmE08b/mz8wCIDTI/ns9R08m1ZfB9OJGba794
JMU9Nkt7ncF/ny8NCJ8tb50CyY4GMqWZe16aBZOsRwTFEekaMuFcaxvVt6wMh33V
BsjY0hsfyioADny4xYXHmeameU9aZhR5Bo6VgCptpC917A0aRCTSds87tJ54p9jW
PQ2wSfJNJLnxnWBz4mFH80gad2pGNnlZhVD4sc+d3hCDg+PhefTfWujb96stfzrT
uFwFBzmQPTl55MX7L88E0NdAxZthdqCbTq69cJ25g2kGwY0ycqm+dViIJWsovYMN
s/YJCa/XeWXOj/e/wrWp7LlpuugcLUlM9v9K6Zgq5XU8lCDrlJfXjhR4e88xYoxF
jvc+7xKzQnQ=
=WoSY
-----END PGP SIGNATURE-----