Multiple vulnerabilities have been identified in Apple Safari, which could be exploited by attackers to disclose sensitive information, bypass security restrictions, cause a denial of service or compromise an affected system.
The first issue is caused by an error in CFNetwork when identifying the file type of certain local image files could be exploited by attackers to execute malicious JavaScript in the local context by tricking a user into downloading and opening a malicious image.
The second vulnerability is caused due to CFNetwork creating temporary files insecurely when downloading files, which could allow malicious users to access another user's files as they are downloaded.
The third issue is caused by memory corruption and integer overflow errors in CoreGraphics when processing malformed data, TrueType fonts, or PDF files, which could be exploited to crash an affected browser or execute arbitrary code.
The fourth vulnerability is caused by an uninitialized pointer in ImageIO when handling PNG images, which could be exploited to execute arbitrary code.
The fifth issue is caused by implementation error in ICU when handling certain character encodings, which could be exploited to bypass cross-site scripting filters.
The sixth vulnerability is caused by errors in libxml. For additional information, see : VUPEN/ADV-2008-2419 - VUPEN/ADV-2008-3176
The seventh issue is caused by an error when handling Extended Validation (EV) certificates, which could be exploited to bypass the revocation checking warning.
The eighth vulnerability is caused by an implementation error in the Private Browsing feature, which may cause cookies to remain on disk after Private Browsing ends, potentially leading to the disclosure of sensitive information.
The ninth weakness is caused due to the "Reset" button for "Reset saved names and passwords" in the "Reset Safari..." menu option taking up to 30 seconds to clear the passwords, which could allow a user with access to the system in that time window to access the stored credentials.
The tenth vulnerability is caused by an error in the open-help-anchor URL handler, which may allow a maliciously crafted website to open local help files, leading to the disclosure of sensitive information or arbitrary code execution.
The eleventh issue is caused due to the Safari Windows Installer causing Safari to run with elevated privileges for its initial launch.
The twelfth vulnerability is caused by input validation, design, type conversion, memory corruption, uninitialized pointer, use-after-free, uninitialized memory access errors in WebKit, which could be exploited to gain knowledge of sensitive information, read arbitrary files, bypass security restrictions and the same-origin policy, spoof browser UI elements, conduct cross site scripting and forgery attacks, or compromise a vulnerable system. For additional information, see : VUPEN/ADV-2006-2106 - VUPEN/ADV-2008-2094 - VUPEN/ADV-2008-2268 - VUPEN/ADV-2008-2525 - VUPEN/ADV-2008-3232
Affected Products
Apple Safari versions prior to 4.0
Solution
Upgrade to Apple Safari version 4.0 :
http://support.apple.com/kb/HT3613
References
http://www.vupen.com/english/advisories/2009/1522
http://support.apple.com/kb/HT3613
Credits
Vulnerabilities reported by Sergio shadown Alvarez (Recurity Labs), Billy Rios (Microsoft Vulnerability Research), Michal Zalewski (Google), Clint Ruoho (Laconic Security), Tavis Ormandy (Google Security Team), Will Dormann (CERT/CC), Chris Weber (Casaba Security), Bruce Morton, Michael Hay (Beatnik Monkey Software), Philippe Couturier (izypage.com), Andrew Wellington (Australian National University), Dave English (Lutnos), Thomas Raffetseder (International Secure Systems Lab), Dean McNamee (Google), Haifei Li (Fortinet FortiGuard Global Security Research Team), Jesse Ruderman (Mozilla Corporation), SkyLined (Google), Adam Barth (UC Berkeley), Collin Jackson (Stanford University), wushi & ling (team509) via iDefense Labs, Chris Evans (Google), Feng Qian (Google), Amit Klein (Trusteer), Per von Zweigbergk, Thierry Zoller via ZDI, Robert Swiecki (Google Security Team), Joel Weinberger (UC Berkeley), Dino Dai Zovi, ZDI, Pengsu Cheng (Wuhan University) and Eric Seidel (Google).
ChangeLog
2009-06-09 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time alerts with CVE, CWE, and CVSS when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form.
