|
|
>> Apple Safari Multiple Remote Code Execution and URL Spoofing Vulnerabilities
|
Multiple vulnerabilities have been identified in Apple Safari, which could be exploited by malicious web sites to take complete control of an affected system or conduct spoofing attacks.
The first issue is caused by an error whithin the handling of the "Enable Java" preference, which could be exploited by attackers to load and run arbitrary applets even when Java is disabled.
The second vulnerability is caused by an error when processing domain names containing Unicode characters, which could be exploited to masquerade a website and conduct spoofing attacks.
The third issue is caused by a heap overflow error in the Perl Compatible Regular Expressions (PCRE) library used by the JavaScript engine, which could be exploited by remote attackers to execute arbitrary code by tricking a user into visiting a malicious web page.
Affected Products
Apple Safari 3 Beta versions prior to 3.0.3
Solution
Upgrade to Apple Safari 3 Beta Update 3.0.3 :
http://www.apple.com/safari/download/
References
http://www.vupen.com/english/advisories/2007/2730
http://docs.info.apple.com/article.html?artnum=306174
Credits
Vulnerabilities reported by Scott Wilde, Charlie Miller and Jake Honoroff (Independent Security Evaluators).
ChangeLog
2007-08-01 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
