Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1618 Safari 6.2 and Safari 7.1 18 September 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Safari Publisher: Apple Operating System: OS X Impact/Access: Access Privileged Data -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-4415 CVE-2014-4414 CVE-2014-4413 CVE-2014-4412 CVE-2014-4411 CVE-2014-4410 CVE-2014-4409 CVE-2014-4363 CVE-2013-6663 Reference: ASB-2014.0023 ESB-2014.1615 ESB-2014.0381 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-09-17-4 Safari 6.2 and Safari 7.1 Safari 6.2 and Safari 7.1 are now available and address the following: Safari Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: An attacker with a privileged network position may intercept user credentials Description: Saved passwords were autofilled on http sites, on https sites with broken trust, and in iframes. This issue was addressed by restricting password autofill to the main frame of https sites with valid certificate chains. CVE-ID CVE-2014-4363 : David Silver, Suman Jana, and Dan Boneh of Stanford University working with Eric Chen and Collin Jackson of Carnegie Mellon University WebKit Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2013-6663 : Atte Kettunen of OUSPG CVE-2014-4410 : Eric Seidel of Google CVE-2014-4411 : Google Chrome Security Team CVE-2014-4412 : Apple CVE-2014-4413 : Apple CVE-2014-4414 : Apple CVE-2014-4415 : Apple WebKit Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: A malicious website may be able to track users even when private browsing is enabled Description: A web application could store HTML 5 application cache data during normal browsing and then read the data during private browsing. This was addressed by disabling access to the application cache when in private browsing mode. CVE-ID CVE-2014-4409 : Yosuke Hasegawa (NetAgent Co., Led.) Safari 7.1 and Safari 6.2 may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJUGkSxAAoJEBcWfLTuOo7tNVcP/j3m7E6n31A4jJ+KpQK8QSaC no9gPE/qLSAyHCPY1GvaLqNAiFrfbHvJu0C9GCRQe0K7CElCIovtxUZ91PREInPw yQHsyFefeICOXwmU7fz1MWJcUufV6vdThcOzLQciSC2SomiptGdfhbi1/oyXWa7b 6W8m2adZBv4XDUfObEVO8S28/XsBRN5zHXGbGmwTqobBAGZp8G/IDiB5RjjY0vC3 TCs4TvhlWqUSyCaubqRGtvTol8+eVqFkFsJb/e4j8IlHi83BF5Gb20F+L3kW9lBH rez4sz/chnjR5cFc6Be3ciXNdG10d5urMBFTXB8u6Wu7rl5oShD25OB/j4n+8Ik4 tvQZfGsRnTicFgywX28QuRVWwldK4VFvMcHAEPZ+8FuwjJCZSLbk0JPXJTC374N2 +G/fh6knx+yNEezedUAbR93OFIDn9lKniVlfVvALs8DnI4Qvfus1yQ9Pxb4rA6Y6 wguh4HaAeasMVZeL9nA8NHPH4aVhGryhaGq3N4ykag/TKtXAn2EsOsevQ5tWRYV2 LMJiFcDHcqjOftmbkNN/jbR35PX9InSBVeFqWG++01xKpcR/YrP1uEHY3fiQC/Z4 kX7nr26nrMXJkEb28ShAlyMYmGaQdos5S6jfe2liNg2C4y4E4aUbMwi8+L/wzXO+ mlqQ1qQbOepcgb+U0iLX =muK9 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVBp7DBLndAQH1ShLAQLIRw//YuAwBMxiI/tPXnPbEpl19NOHQtJenvSh ST6wYv6lvlcYdbSrM+FxZLWyJuzvG7NmIXH+A+K/yU8/tEEcOaY3zUNLJ+b/c18T WTxtPoHhYTDrkEok4SWGF0OAzsC/gcKdruneXPmhHnK+4lZmgBwnHYc7szaZivVS VUC6Fbj7c/1D37+7ZxMQk/wkwCDmcEmWJilRm+g1kZUhXNPaT5xJwl0/9yoxo9qs m6/HVeg4XtMjT/5f5EiNqmYFqtmBisUT4F6DNEz8UIIp6hnqEDU3eR5YX8eJ7qQa D2qELI5PLZmUUT6Z55LcjSmu8OnKRwd6FzeCm5hbI47xsX8jUrqlOd/kLUheG7l3 4MrgtW/lblOdpVB3CUPoH1l55sSklUGBJjOMzBDMhTaNTRR3eNioNWrXEyODLhj2 9K0IVY4ipNE1gDxYqum5SK1rE03+zKuVZiMyecY3YeyRd27HQlzeW2EUgeggjnua MK+nVToNRLhzkAlMKVWxo5ASGgUsE0Le5eIt9xqK4X8qfFHSttA1Bs0xCuaktSZy 4bKmyahKuz0xmSEG28ZiY/IFhIoeif2WHfR5bHZP5QgkxlSTO+5jEVV4cKk8dHDk bQbUUABma6fNFVK1izIw7XxB+9/zVC5R3IOoh4dTCBhSHFeTZnj0KZF0eDwj4tvX gNdZV3+Wqa4= =biVD -----END PGP SIGNATURE-----