You are here

T-673: Apple Safari Multiple Flaws Let Remote Users Execute Arbitrary Code, Conduct Cross-Site Scripting Attacks

July 21, 2011 - 1:27am

Addthis

PROBLEM:

Multiple vulnerabilities were reported in Apple Safari. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can conduct cross-site scripting attacks. A remote user can obtain potentially sensitive information. A remote user can bypass a certificate validation control.

PLATFORM:

Safari 5.1 and Safari 5.0.6
Products Affected:
Safari 5 (Mac OS X 10.6), Safari 5 (Mac OS X 10.5), Product Security, Safari 5.1 (OS X Lion)

ABSTRACT:

Apple Safari Multiple Flaws Let Remote Users Execute Arbitrary Code, Conduct Cross-Site Scripting Attacks

referenceĀ  LINKS:

Apple Article: HT4808
SecurityTracker Alert ID: 1025816
Mac OS X Update
Apple Downloads

IMPACT ASSESSMENT:

High

Discussion:

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a memory corruption error and execute arbitrary code on the target system -
[CVE-2010-1823, CVE-2011-0216, CVE-2011-1774, CVE-2011-1797, CVE-2011-1296,
CVE-2011-1453, CVE-2011-1457, CVE-2011-1462, CVE-2011-0218, CVE-2011-1109,
CVE-2011-1114, CVE-2011-1115, CVE-2011-1117, CVE-2011-1121, CVE-2011-1188,
CVE-2011-0221, CVE-2011-0222, CVE-2011-0223, CVE-2011-0225, CVE-2011-0232,
CVE-2011-0233, CVE-2011-0234, CVE-2011-0235, CVE-2011-0237, CVE-2011-0238,
CVE-2011-0240, CVE-2011-0253, CVE-2011-0254, CVE-2011-0255, CVE-2011-0981,
CVE-2011-0983, CVE-2011-1203, CVE-2011-1204, CVE-2011-1288, CVE-2011-1293].
The code will run with the privileges of the target user.

A remote user can replay NTLM authentication data authenticate to a target system [CVE-2010-1383]. Only Windows-based systems are affected.

A remote user can create a specially crafted TIFF file that, when loaded by the target user, will trigger a memory corruption error and
execute arbitrary code on the target system [CVE-2011-0215, CVE-2011-0241]. The code will run with the privileges of the target user. Only Windows-based systems are affected.

A remote user can create a specially crafted web site that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser [CVE-2011-1295, CVE-2011-0242].
The code will originate from the site and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies),
if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can create a page with the 'text/plain' content type that, when loaded by the target user, will be treated as HTML. A remote user can exploit this to conduct cross-site scripting attacks [CVE-2010-1420].

CFNetwork does not properly validate remote certificates and may ignore that a system root certificate has been disabled and incorrectly accept certificates signed by that root server [CVE-2011-0214].

On systems with the 'AutoFill web forms' feature enabled, a remote user can create a specially crafted web site that, when loaded by the target user and when the target user types on the web site,
will obtain information from hidden, auto-filled forms on the target user's browser [CVE-2011-0217].

With a certain Java configuration, a remote user can create a specially crafted web site that, when loaded by the target user, will cause text to be displayed on other sites [CVE-2011-0219].

A remote user can create a specially crafted link within an RSS feed that, when subscribed to and clicked on by the target user, will obtain information from the target user's system [CVE-2011-0244].

A remote user can create a specially crafted web site that, when loaded by the target user, will spoof the address bar URL [CVE-2011-1107].

A remote user can create a specially crafted website that, when loaded by the target user, will obtain information from the target user's system [CVE-2011-1190].

Impact:

A remote user can create a file or HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A remote user can obtain potentially sensitive information. A remote user can bypass a certificate validation control.

Solution:

The vendor has issued a fix (5.0.6, 5.1), available via the Apple Software Update application, or Apple's Safari download site at:
Safari Download

Safari for Mac OS X v10.6.8 and later
The download file is named: Safari5.1SnowLeopard.dmg
Its SHA-1 digest is: 2c3cef8e06c5aa586379b1a5fd5cf7b54e8acc24

Safari for Mac OS X v10.5.8
The download file is named: Safari5.0.6Leopard.dmg
Its SHA-1 digest is: ea970375d2116a7b74094a2a7669bebc306b6e6f

Safari for Windows 7, Vista or XP
The download file is named: SafariSetup.exe
Its SHA-1 digest is: d00b791c694b1ecfc22d6a1ec9aa21cc14fd8e36

Safari for Windows 7, Vista or XP from the Microsoft Choice Screen
The download file is named: Safari_Setup.exe
Its SHA-1 digest is: ccb3bb6b06468a430171d9f62708a1a6d917f45b

Safari+QuickTime for Windows 7, Vista or XP
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: 1273e0ee742a294d65e4f25a9b3e36f79fb517c9

Addthis