copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2016.0141 - [OSX] Apple Safari: Multiple vulnerabilities

Date: 20 January 2016
References: ESB-2016.0139  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0141
                               Safari 9.0.3
                              20 January 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apple Safari
Publisher:         Apple
Operating System:  OS X
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-1728 CVE-2016-1727 CVE-2016-1726
                   CVE-2016-1725 CVE-2016-1724 CVE-2016-1723

Reference:         ESB-2016.0139

Original Bulletin: 
   https://support.apple.com/en-us/HT205730

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

APPLE-SA-2016-01-19-3 Safari 9.0.3

Safari 9.0.3 is now available and addresses the following:

WebKit
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
OS X El Capitan v10.11 to v10.11.2
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2016-1723 : Apple
CVE-2016-1724 : Apple
CVE-2016-1725 : Apple
CVE-2016-1726 : Apple
CVE-2016-1727 : Apple

WebKit CSS
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
OS X El Capitan v10.11 to v10.11.2
Impact:  Websites may know if the user has visited a given link
Description:  A privacy issue existed in the handling of the
"a:visited button" CSS selector when evaluating the containing
element's height. This was addressed through improved validation.
CVE-ID
CVE-2016-1728 : an anonymous researcher coordinated via Joe Vennix

- -----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJWnsHWAAoJEBcWfLTuOo7t/U8P/A8wprr7O/AsfTzeeRZC03df
eASftaBsa9VLFOwpWKCWeLQo17yx7EG8B25nf1RbKbIuCh9qArKhPzMjuQchrFrW
5VcE5nbbRsWHK40cBqTGhyMCdfoK4c3ca+pRs1qXeJtz3fDcW/22ws5a7tBDkYsM
Drt5yUaxqctKIERPerUbvAhe215D5aEs9P8uMPxL8TwUPmcm75RYDeeOZC0PmtiP
Oc+H4K8IcgHOiy7/EMOyRy+6UJ9yXPD1oNBRAPdTzFHGrI97wkqeH2R6Z3c1Ql3L
1Nm27xdYNPcvwxjBDNq+uQh6B/0yu95oDdPjw0wXkUhcQfipp8VpnS/xlpoVJksp
rg2Oh/AoSNbefmG+NxujAf3stB8X+df+D0nmdi4LL0N4jqipGvkR7AecV6XhGgVq
xOkinIE3HFn70PldHnbm4NZADVyU5xzLZ7WUWzQj+OtgypDDyPr2zQ4h9laXp5KR
vU0T+5DId/YUivr9wMmKW9etIRTL0rJcQD70xJqihsm0OCh2yEOa5WZdd16Cc6R/
TXkFYVHCTHHiyFzpac5Y1f77ZA3OBifXs3SPJjIjVi8LVIfxSge9OTv6P3ZdYF52
3ozFvNVjEYzgAau9FhZAeUuxX6d5YE014+SOZml5a7/gQNDMvy4q3sER5yt6GHd/
1ALPYBGmNCuPx+y4PuZr
=ZvEB
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVp8ZbX6ZAP0PgtI9AQJ+6A//VuuwLmrxtj1LNPr47o1dcEjPpHEze2qS
1BsRS45dWMj1WrZkql65JtGpGymbuUjECvBkyZhQJn3HNVjpnBr/mZZpUlnEb5gR
xJw2yJoxawwrgURZbRAXaeb4rcCZL1I63HvLeg4cLzN1oJ/rU6IoEGdFb4JXzwDm
xVPlDVS1g3HPIndYJiprfhs7u55l4kr6NNVzMzWYViX+YVN68G7WzzudRyUI06Om
Sn/85FJuf7F/tLIUdoSbn2Br6LiwQTtafYkX9Tt/WhalUs91y6BDT9ApIfscdGQR
HL7pcNaXOe+clh855AvG87O6CZxdartTfM0CL9WMXF/ImrpMmKfy2DYJCI7Ma/Tp
xj9Wm9WjDHzHf75gCdc02Z5IbHZ2OUNK7mB+BOH4OAzWPzuhnUUn73x81ddInkr2
xhVOzl/FhGz4K8+vg4lro64CQq/STpRYrXM49r1C3YLoKKH7ZwqXivAPSNMsOnWP
POb+Xl+FOwMaujULYYfaxe+VEUO8VYMqzVP1agI4TPdF+8ka6FC2/SLtC8G03Tg3
4Btdorj4gV1Uy5AWlkAk6AJXrV2/Sr1FKtFnNCIkHQTN+JR/fY3bgnBkdU4fsiDv
AqX1afF/r5JbfF9bu0cKR41guMJBBF4D2FiYfOGvN66UCgXllDIsn7oJ40j62s2y
944Kk/BBxFc=
=1OfO
-----END PGP SIGNATURE-----