Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3184.2
APPLE-SA-2020-09-16-3 Safari 14.0
16 November 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Safari
Publisher: Apple
Operating System: Mac OS
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-9993 CVE-2020-9987 CVE-2020-9983
CVE-2020-9952 CVE-2020-9951 CVE-2020-9950
CVE-2020-9948 CVE-2020-9947
Reference: ESB-2020.3181
ESB-2020.3183
Original Bulletin:
https://support.apple.com/en-us/HT211845
Revision History: November 16 2020: Vendor added additional entries, CVEs and updated entries
September 17 2020: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2020-11-13-5 Additional information for
APPLE-SA-2020-09-16-3 Safari 14.0
Safari 14.0 addresses the following issues. Information about
the security content is also available at
https://support.apple.com/HT211845.
Safari
Available for: macOS Catalina and macOS Mojave, and included in macOS
Big Sur
Impact: Visiting a malicious website may lead to address bar spoofing
Description: The issue was addressed with improved UI handling.
CVE-2020-9993: Masato Sugiyama (@smasato) of University of Tsukuba,
Piotr Duszynski
Entry added November 12, 2020
Safari
Available for: macOS Catalina and macOS Mojave, and included in macOS
Big Sur
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2020-9987: Rafay Baloch (cybercitadel.com) of Cyber Citadel
Entry added November 12, 2020
WebKit
Available for: macOS Catalina and macOS Mojave
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2020-9948: Brendan Draper (@6r3nd4n) working with Trend Micro
Zero Day Initiative
WebKit
Available for: macOS Catalina and macOS Mojave, and included in macOS
Big Sur
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-9947: cc working with Trend Micro Zero Day Initiative
CVE-2020-9950: cc working with Trend Micro Zero Day Initiative
CVE-2020-9951: Marcin 'Icewall' Noga of Cisco Talos
Entry updated November 12, 2020
WebKit
Available for: macOS Catalina and macOS Mojave
Impact: Processing maliciously crafted web content may lead to a
cross site scripting attack
Description: An input validation issue was addressed with improved
input validation.
CVE-2020-9952: Ryan Pickren (ryanpickren.com)
WebKit
Available for: macOS Catalina and macOS Mojave
Impact: Processing maliciously crafted web content may lead to code
execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-9983: zhunki
Additional recognition
Safari
We would like to acknowledge @PaulosYibelo of Limehats, Ryan Pickren
(ryanpickren.com) for their assistance.
Entry added November 12, 2020
Safari Reader
We would like to acknowledge Zhiyang Zeng(@Wester) of OPPO ZIWU
Security Lab for their assistance.
Entry added November 12, 2020
WebKit
We would like to acknowledge Pawel Wylecial of REDTEAM.PL, Ryan
Pickren (ryanpickren.com), Tsubasa FUJII (@reinforchu), Zhiyang
Zeng(@Wester) of OPPO ZIWU Security Lab for their assistance.
Entry added November 12, 2020
Installation note:
Safari 14.0 may be obtained from the Mac App Store.
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAl+uxmkACgkQZcsbuWJ6
jjC10xAApnFTMOYmt4Y5o7KF5E6OBizR9toCIxwAxr8nRX5/UfPC3aIKv7DFYTP/
JrAlUMM8soZAuytc1dQPXpMgsM71OctsSM92Z06oEVeiN9w1lZ/Bonh8F2R0Sm2Y
upMFk6aHHWt++JfhbYQULNZx9zrT885dmyynLTk5kHB8TRnIqUmtzcpeYWkGkT78
TdMn9w9atcbSbi0Yqybmy+CE3qvm96C8TIQTMj2Qlp04AU0ZAtogZfTwJvPV8LIx
sqHaGRO2hcTchxcWn50edjANOOBK+16QdcqoTKKVZY95RjIFvksD/lAZqMlNIlNR
X5pXr2NfkPRQwMcyAW4YKEJ165TohV/6eiYKJr70BbigWWwfNWhjJiT4drAnd9ii
uO6NI85hLLeF6me28L2RPxO7XuVnu5MXzLzgKR0dprsyoF0yxEcJ6rX56bduggli
lZ+eziUH5ReUw0E3RtIC5u0NSOPjsYuErH0qH0nCTUU6dRNI7u1ZKq44eyGjrdvg
vfNoci5yMnqsp+8D/yjZc2zQZCSEXgMpuNNac1Unv1JFPrypG/N5a2qmqDWi+P/x
Pcbv1TzDS0XwXuwXMgTflj6MY38gbAIpZlZNEyjvxx9r7MUBYEeEW1KMoTtghiaa
kL7XmKJEGZib++TAP4+jZ/6tWjhijdmkx5S+85vi7TV8NbHpn4o=
=EiFD
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX7HXfONLKJtyKPYoAQhFlQ/9EqJW3UBIzEr2ZXmFJL9t2Uoum7mMvaN4
nDKKAJFfZQNTk+6fF759shr0Uy3LJARQJ32QcEo4lt6UK24Fg5cDSbVeiK5HKxnH
UpCKI4KdEUYGrJGrLlsvroBS9N5mNKVheYCJyHO9KHTbSXGmfh+DehyZvwHkuOea
ogvZLK488sGbJeJn/qfqbv2XSpy6IaSMfaXO6zMm/pkqwooLES8ShBw88adtXiwx
TrN/+Wb7P5wTPV+6FGgugE+eggY03CuUIMFkTyIwoklfzcvejqD/sCJGnbLNxZ+O
0Sm9saWt3znQT8FjAsWJAvWuL1ngPLucc/9o1WzSX5/KYjvzkkfTNUMwESyevl7M
A8derOpTgYE4n+KbI2kINXOhOIkg8jUI+DSQvZcqYjdAPEnFECAlZLezSB+55+WI
2v+l77kQUibp725l+aAadY3eEe5Wimugr0rriQiPquu5lytpm46Hb2HSk6O5D4ON
88oSbVITK8uqzn08gSkN2oI5SAa8oYlsQoNzilMrvzzV81fKPrrEVK0y3n5Wcft8
bWFVl+AwkBDlKyC4wQATROlEX1tMBc/6aNg4wlzifOq53n9Nrb4bHLcDjkQGsEte
Q92EpT00fJDzOkW9d20IwNDCVtpnBrxtUYVPzrEqr9QuvsubM17U/OgSUIFdLgyC
nbz49Yzg2Ok=
=hEEr
-----END PGP SIGNATURE-----