-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3184
                     APPLE-SA-2020-09-16-3 Safari 14.0
                             17 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Safari
Publisher:         Apple
Operating System:  Mac OS
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-9983 CVE-2020-9952 CVE-2020-9951
                   CVE-2020-9948  

Reference:         ESB-2020.3181
                   ESB-2020.3183

Original Bulletin: 
   https://support.apple.com/en-us/HT211845

- --------------------------BEGIN INCLUDED TEXT--------------------

Safari 14.0

Released September 16, 2020

WebKit

Available for: macOS Catalina and macOS Mojave

Impact: Processing maliciously crafted web content may lead to arbitrary code
execution

Description: A type confusion issue was addressed with improved memory
handling.

CVE-2020-9948: Brendan Draper (@6r3nd4n) working with Trend Micro Zero Day
Initiative


WebKit

Available for: macOS Catalina and macOS Mojave

Impact: Processing maliciously crafted web content may lead to arbitrary code
execution

Description: A use after free issue was addressed with improved memory
management.

CVE-2020-9951: Marcin 'Icewall' Noga of Cisco Talos


WebKit

Available for: macOS Catalina and macOS Mojave

Impact: Processing maliciously crafted web content may lead to a cross site
scripting attack

Description: An input validation issue was addressed with improved input
validation.

CVE-2020-9952: Ryan Pickren (ryanpickren.com)


WebKit

Available for: macOS Catalina and macOS Mojave

Impact: Processing maliciously crafted web content may lead to code execution

Description: An out-of-bounds write issue was addressed with improved bounds
checking.

CVE-2020-9983: zhunki

Information about products not manufactured by Apple, or independent websites
not controlled or tested by Apple, is provided without recommendation or
endorsement. Apple assumes no responsibility with regard to the selection,
performance, or use of third-party websites or products. Apple makes no
representations regarding third-party website accuracy or reliability. Contact
the vendor for additional information.

Published Date: September 16, 2020

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX2L3VONLKJtyKPYoAQi1LA//f1cauv/fdMSCSovRiar9D60VpaHLKXEq
CDVfDB745w2yi2zVA4f7L08MoLcOk0mZ7Wabu2v7iAsXqXEcge4OVW9E9eN4s26C
MXNuux+ToHdjz7AGW4x64P7phMEvgu3pHq7yJKSAwSQFJRF1zcEse9F41tNVK0bj
l5gYcLxxMhkJ3CWs1H91SI/hvvaB/Vc9k214Wjp5p022HswLe8D6RLMmFwg5p5eZ
tfPZNu+IAHeM+cTdhfROKJ3To8gs+BYbkuP5O9cfUF2B9Go1uJ+ZboaMqFXx/02+
TqGfIB3Nm6bYoZcF6jqhfRnnxPRwh0Zog64JKoRVvRtNPf7aSXRFZykvSMkwaHln
RfB7RWjZRLElAOyiaxfaASYhEkRB+5VyjlBRENh2mHPAPB9pg3VJHodRgWswRhW2
oooXiWd8WdzaEL0tPR6/NdtH0cj2g31IX4gfRhxhZOYuoB481h8qrIgbzVZbMXQZ
CtFol6uamIIA6bivRNxhsoOiiWHoCsi+IZgyKICN3a7LotHJ9pv9jdRM+zO7yta+
5LuIxOzf8k+dwq+FOybLfx/swxE8D8aO4pkjVqgr0QFmGOPPKDX6/bus/lxd5xvK
d54TRiM+tz4ElzN84YcBs1t/Dr8RAuFxEDSh0F1VIcPKopB7XBajaSCvOFMncY8Q
5S+B3XRGMkM=
=JLNv
-----END PGP SIGNATURE-----