copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.0792 - [OSX] Safari: Multiple vulnerabilities

Date: 22 May 2014
References: ASB-2013.0083  ESB-2013.0994  ASB-2013.0114  ESB-2013.1530  ASB-2014.0057  ESB-2014.0657  ESB-2014.1059  ESB-2014.1060  ESB-2014.1880  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0792
                       Safari 6.1.4 and Safari 7.0.4
                                22 May 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Safari
Publisher:        Apple
Operating System: OS X
Impact/Access:    Execute Arbitrary Code/Commands -- Remote with User Interaction
                  Denial of Service               -- Remote with User Interaction
Resolution:       Patch/Upgrade
CVE Names:        CVE-2014-1731 CVE-2014-1346 CVE-2014-1344
                  CVE-2014-1343 CVE-2014-1342 CVE-2014-1341
                  CVE-2014-1339 CVE-2014-1338 CVE-2014-1337
                  CVE-2014-1336 CVE-2014-1335 CVE-2014-1334
                  CVE-2014-1333 CVE-2014-1331 CVE-2014-1330
                  CVE-2014-1329 CVE-2014-1327 CVE-2014-1326
                  CVE-2014-1324 CVE-2014-1323 CVE-2013-2927
                  CVE-2013-2875  

Reference:        ASB-2014.0057
                  ASB-2013.0114
                  ASB-2013.0083
                  ESB-2014.0657
                  ESB-2013.1530
                  ESB-2013.0994

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2014-05-21-1 Safari 6.1.4 and Safari 7.0.4

Safari 6.1.4 and Safari 7.0.4 are now available and address the
following:

WebKit
Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.3
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-2875 : miaubiz
CVE-2013-2927 : cloudfuzzer
CVE-2014-1323 : banty
CVE-2014-1324 : Google Chrome Security Team
CVE-2014-1326 : Apple
CVE-2014-1327 : Google Chrome Security Team, Apple
CVE-2014-1329 : Google Chrome Security Team
CVE-2014-1330 : Google Chrome Security Team
CVE-2014-1331 : cloudfuzzer
CVE-2014-1333 : Google Chrome Security Team
CVE-2014-1334 : Apple
CVE-2014-1335 : Google Chrome Security Team
CVE-2014-1336 : Apple
CVE-2014-1337 : Apple
CVE-2014-1338 : Google Chrome Security Team
CVE-2014-1339 : Atte Kettunen of OUSPG
CVE-2014-1341 : Google Chrome Security Team
CVE-2014-1342 : Apple
CVE-2014-1343 : Google Chrome Security Team
CVE-2014-1344 : Ian Beer of Google Project Zero
CVE-2014-1731 : an anonymous member of the Blink development
community

WebKit
Available for:  OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.3
Impact:  A malicious site can send messages to a connected frame or
window in a way that might circumvent the receiver's origin check
Description:  An encoding issue existed in the handling of unicode
characters in URLs. A maliciously crafted URL could have led to
sending an incorrect postMessage origin. This issue was addressed
through improved encoding/decoding.
CVE-ID
CVE-2014-1346 : Erling Ellingsen of Facebook


For OS X Mavericks and OS X Mountain Lion systems, Safari 7.0.4
and Safari 6.1.4 may be obtained from Mac App Store.

For OS X Lion systems Safari 6.1.4 is available via the Apple
Software Update application.

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJTe6ELAAoJEBcWfLTuOo7tonoP/igNIR7SZEkRvtHHjHIqR2U5
a28aYgzjkALSYDppREpWPMIovnYKZAONabRMJ0r/3LFyl4juBSOsVyBCbUBg8Fpp
GFCsc7x0jva8g1DtPtk/B299GXPBi8fOhEwUIilgTo0+y7ExrgA9wUjCdlWHwPQs
Edbra42Q+52KU+NxWjyeJiPkBIy57p5P0XVnnS3tIxRLHxRed9O8GoNUHcwLhihd
dV5NOBEUvW5Gy2yEhJLZIa64aPOPG3Rz7EA/0zCRiiusLyIGVdyTaOnL4AlHrgh8
BiiAgx3xFUqYiBqCnxAO3gy3CRWhmKukesDKIPmaV27E0cFQ+FkI990oCh8ZSCZg
hi4q5j34mp44Uhr0O068hQyPaA70GAiUVgT/pB7fVS9Z9U0EOPhIvn1IybROP/44
ces9VWOzx9pjzR7OxRmk05mRijnlIQHNzSJp3/DpREDX1DvJxD2vfk8cYFPdweNR
VPFs3acbgOMCpjPLGM3S5HdY/a2UWxolvwR13AnCQ0mFkiD6FsO3z2sgtHdnMkNi
XNW7RMf/7+JesXcNiXYde5iDqE15OPTSWuiYNUHCz9WvSlJmOOSDAZ7F3YBWr+FR
tMEB/TGWZiQmacNiGkY1F4YgF5SqeAHGYeJ2amSycO90+vTU+FLWPCiTWesmu1tG
n/lA21kfHgTURqYVT+xA
=kSr/
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU30+ZBLndAQH1ShLAQJNmA//Wuxtzj8s2HGdb2fQfFMGd1qfNvs3m37f
MOJzp35L7GTQl0HW9sjl8/EHDzLsUQbQjZcqi+0CIkdPCJORmvOAPg0M4no2W8Bd
llXA9PKsI10Wlfwon4c7lcxf9rwZHrHcxSQWJ9SYXoPFFqwhcPx0mUxbnwXovpbd
APYnpzaguzYd/MJ12NZlXQoFkJlZTZpcsxSSvStu1rdhvBDPTGCNW3n7aevloh1K
/s3gowVHac+L2sTZUpSlNXDrCgcZD/djvi8ctIT5bmLvPHWZ5eaXeJrPSkPdKvQt
yyq11XosQiv0gMa7kZNWx00X2DReF5JfXYM3HaRCWTPRAhohRn76TTgMGGRg63g5
O1v3BlopwYvUlWfPz0+Lj9IwUi0Yxxp0eJo9pmnNuwnM5BCSAf6ighWi6ANk95eh
k0VChwaQngIAC2/cIPYhavl9GJe4yyB95JKK2UFs5Cil1M7NgNQRsmBfSD+Oxe0B
jZaz+m3Zyl1+mKelGVpX4klQmRtBRuvwa4222q7apB1yRf7EHmX5eCkNuyL7am5U
AebSkYcLnD3TVraax/32VHp8lmO7ArIddKcN3z+JylQ+bj7ifkUZNS+WaeCVqZQW
vjH6BaM1t7+TYicB3lve0IqIj7Xq0hiPTR8bNUfqo/KvIvvb8xcEBHXxDQ/qyXV8
cfEZWUqXkAQ=
=nJO8
-----END PGP SIGNATURE-----