site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2010-06-07-1 Safari 5.0 and Safari 4.1 Safari 5.0 and Safari 4.1 is now available and addresses the following: ColorSync CVE-ID: CVE-2009-1726 Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow exists in the handling of images with an embedded ColorSync profile. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved validation of ColorSync profiles. Credit to Chris Evans of the Google Security Team, and Andrzej Dyjak for reporting this issue. Safari CVE-ID: CVE-2010-1384 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: A maliciously crafted URL may be obfuscated, making phishing attacks more effective Description: Safari supports the inclusion of user information in URLs, which allows the URL to specify a username and password to authenticate the user to the named server. These URLs are often used to confuse users, which can potentially aid phishing attacks. Safari is updated to display a warning before navigating to an HTTP or HTTPS URL containing user information. Credit to Abhishek Arya of Google, Inc. for reporting this issue. Safari CVE-ID: CVE-2010-1385 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in Safari's handling of PDF files. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of PDF files. Credit to Borja Marcos of Sarenet for reporting this issue. Safari CVE-ID: CVE-2010-1750 Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in Safari's management of windows. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved window management. This issue does not affect Mac OS X systems. WebKit CVE-ID: CVE-2010-1388 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later Impact: Dragging or pasting links or images may lead to an information disclosure Description: An implementation issue exists in WebKit's handling of URLs in the clipboard. Visiting a maliciously crafted website and dragging or pasting links or images may send files from the user's system to a remote server. This issue is addressed through additional validation of URLs in the clipboard. This issue does not affect Windows systems. Credit to Eric Seidel of Google, Inc. for reporting this issue. WebKit CVE-ID: CVE-2010-1389 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Dragging or pasting a selection may lead to a cross-site scripting attack Description: Dragging or pasting a selection from one site to another may allow scripts contained in the selection to be executed in the context of the new site. This issue is addressed through additional validation of content before a paste or a drag and drop operation. Credit to Paul Stone of Context Information Security for reporting this issue. WebKit CVE-ID: CVE-2010-1390 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a website using UTF-7 encoding may lead to a cross- site scripting attack Description: A canonicalization issue exists in WebKit's handling of UTF-7 encoded text. An HTML quoted string may be left unterminated, leading to a cross-site scripting attack or other issues. This issue is addressed by removing support for UTF-7 encoding in WebKit. Credit to Masahiro Yamada for reporting this issue. WebKit CVE-ID: CVE-2010-1391 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may cause files to be created in arbitrary user-writable locations Description: A path traversal issue exists in WebKit's support for Local Storage and Web SQL databases. If accessed from an application- defined scheme containing '%2f' (/) or '%5c' (\) and '..' in the host section of the URL, a maliciously crafted website may cause database files to be created outside of the designated directory. This issue is addressed by encoding characters that may have special meaning in pathnames. This issue does not affect sites served from http: or https: schemes. Credit: Apple. WebKit CVE-ID: CVE-2010-1392 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's rendering of HTML buttons. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management. Credit to Matthieu Bonetti of VUPEN Vulnerability Research Team for reporting this issue. WebKit CVE-ID: CVE-2010-1393 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an information disclosure Description: An information disclosure issue exists in WebKit's handling of Cascading Stylesheets. If a stylesheet's HREF attribute is set to a URL that causes a redirection, scripts on the page may be able to access the redirected URL. Visiting a maliciously crafted website may lead to the disclosure of sensitive URLs on another site. This issue is addressed by returning the original URL to scripts, rather than the redirected URL. WebKit CVE-ID: CVE-2010-1119 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's handling of attribute manipulation. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. Credit to Ralf Philipp Weinmann working with TippingPoint's Zero Day Initiative for reporting this issue. WebKit CVE-ID: CVE-2010-1394 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A design issue exists in WebKit's handling of HTML document fragments. The contents of HTML document fragments are processed before a fragment is actually added to a document. Visiting a maliciously crafted website could lead to a cross-site scripting attack if a legitimate website attempts to manipulate a document fragment containing untrusted data. This issue is addressed by ensuring that initial fragment parsing has no side effects on the document that created the fragment. Credit to Eduardo Vela Nava (sirdarckcat) of Google Inc. for reporting this issue. WebKit CVE-ID: CVE-2010-1422 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Interacting with a maliciously crafted website may result in unexpected actions on other sites Description: An implementation issue exists in WebKit's handling of keyboard focus. If the keyboard focus changes during the processing of key presses, WebKit may deliver an event to the newly-focused frame, instead of the frame that had focus when the key press occurred. A maliciously crafted website may be able to manipulate a user into taking an unexpected action, such as initiating a purchase. This issue is addressed by preventing the delivery of key press events if the keyboard focus changes during processing. Credit to Michal Zalewski of Google, Inc. for reporting this issue. WebKit CVE-ID: CVE-2010-1395 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a malicious site may lead to a cross-site scripting attack Description: A scope management issue exists in WebKit's handling of DOM constructor objects. Visiting a malicious site may lead to a cross-site scripting attack. This issue is addressed through improved handling of DOM constructor objects. Credit to Gianni "gf3" Chiappetta of Runlevel6 for reporting this issue. WebKit CVE-ID: CVE-2010-1396 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's handling of the removal of container elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue. WebKit CVE-ID: CVE-2010-1397 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's rendering of a selection when the layout changes. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of selections. Credit to wushi&Z of team509, working with TippingPoint's Zero Day Initiative for reporting this issue. WebKit CVE-ID: CVE-2010-1398 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in WebKit's handling of ordered list insertions. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of list insertions. Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue. WebKit CVE-ID: CVE-2010-1399 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access issue exists in WebKit's handling of selection changes on form input elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of selections. Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue. WebKit CVE-ID: CVE-2010-1400 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's handling of caption elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of caption elements. Credit to regenrecht working with iDefense for reporting this issue. WebKit CVE-ID: CVE-2010-1401 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's handling of the ':first-letter' pseudo-element in cascading stylesheets. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of the ':first-letter' pseudo-element. Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue. WebKit CVE-ID: CVE-2010-1402 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A double free issue exists in WebKit's handling of event listeners in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of SVG documents. Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue. WebKit CVE-ID: CVE-2010-1403 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access issue exists in WebKit's handling of 'use' elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of 'use' elements in SVG documents. Credit to wushi of team509, working with TippingPoint's Zero Day Initiative, for reporting this issue. WebKit CVE-ID: CVE-2010-1404 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's handling of SVG documents with multiple 'use' elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of 'use' elements in SVG documents. Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue. WebKit CVE-ID: CVE-2010-1410 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in WebKit's handling of nested 'use' elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of nested 'use' elements in SVG documents. Credit to Aki Helin of OUSPG for reporting this issue. WebKit CVE-ID: CVE-2010-1749 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's handling of CSS run-ins. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of CSS run-ins. Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue. WebKit CVE-ID: CVE-2010-1405 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's handling of HTML elements with custom vertical positioning. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. Credit to Ojan Vafai of Google Inc. for reporting this issue. WebKit CVE-ID: CVE-2010-1406 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting an HTTPS site which redirects to an HTTP site may lead to an information disclosure Description: When WebKit is redirected from an HTTPS site to an HTTP site, the Referer header is passed to the HTTP site. This can lead to the disclosure of sensitive information contained in the URL of the HTTPS site. This issue is addressed by not passing the Referer header when an HTTPS site redirects to an HTTP site. Credit to Colin Percival of Tarsnap for reporting this issue. WebKit CVE-ID: CVE-2010-1408 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may result in sending remotely specified data to arbitrary TCP ports Description: An integer truncation issue exists in WebKit's handling of requests to non-default TCP ports. Visiting a maliciously crafted website may result in sending remotely specified data to arbitrary TCP ports. This issue is addressed by ensuring that port numbers are within the valid range. WebKit CVE-ID: CVE-2010-1409 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may allow remotely specified data to be sent to an IRC server Description: Common IRC service ports are not included in WebKit's port blacklist. Visiting a maliciously crafted website may allow remotely specified data to be sent to an IRC server. This may cause the server to take unintended actions on the user's behalf. This issue is addressed by adding the affected ports to WebKit's port blacklist. WebKit CVE-ID: CVE-2010-1412 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's handling of hover events. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of hover events. Credit to Dave Bowker of davebowker.com for reporting this issue. WebKit CVE-ID: CVE-2010-1413 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: A user's NTLM credentials may be exposed to a man in the middle attacker Description: In certain circumstances, WebKit may send NTLM credentials in plain text. This would allow a man in the middle attacker to view the NTLM credentials. This issue is addressed through improved handling of NTLM credentials. Credit: Apple. WebKit CVE-ID: CVE-2010-1414 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's handling of the removeChild DOM method. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of child element removal. Credit to Mark Dowd of Azimuth Security for reporting this issue. WebKit CVE-ID: CVE-2010-1415 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An API abuse issue exists in WebKit's handling of libxml contexts. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of libxml context objects. Credit to Aki Helin of OUSPG for reporting this issue. WebKit CVE-ID: CVE-2010-1416 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may disclose images from other sites Description: A cross-site image capture issue exists in WebKit. By using a canvas with an SVG image pattern, a maliciously crafted website may load and capture an image from another website. This issue is addressed by restricting the reading of canvases that contain patterns loaded from other websites. Credit to Chris Evans of Google Inc. for reporting this issue. WebKit CVE-ID: CVE-2010-1417 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in WebKit's rendering of CSS-styled HTML content with multiple :after pseudo-selectors. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved rendering of HTML content. Credit to wushi of team509 for reporting this issue. WebKit CVE-ID: CVE-2010-1418 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: An input validation issue exists in WebKit's handling of the src attribute of the frame element. An attribute with a javascript scheme and leading spaces is considered valid. Visiting a maliciously crafted website could lead to a cross-site scripting attack. This update addresses the issue by properly validating frame.src before the URL is dereferenced. Credit to Sergey Glazunov for reporting this issue. WebKit CVE-ID: CVE-2010-1419 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's handling of drag and drop when the window acting as a source of a drag operation is closed before the drag operation is completed. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management. Credit to kuzzcc, and Skylined of Google Chrome Security Team for reporting this issue. WebKit CVE-ID: CVE-2010-1421 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may change the contents of the clipboard Description: A design issue exists in the implementation of the JavaScript function execCommand. A maliciously crafted web page can modify the contents of the clipboard without user interaction. This issue is addressed by only allowing clipboard commands to be executed if initiated by the user. Credit: Apple. WebKit CVE-ID: CVE-2010-0544 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may result in a cross-site scripting attack Description: An issue in Webkit's handling of malformed URLs may result in a cross-site scripting attack when visiting a maliciously crafted website. This issue is addressed through improved handling of URLs. Credit to Michal Zalewski of Google, Inc. for reporting this issue. WebKit CVE-ID: CVE-2010-1758 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's handling of DOM Range objects. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of DOM Range objects. Credit to Yaar Schnitman of Google Inc. for reporting this issue. WebKit CVE-ID: CVE-2010-1759 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's handling of the Node.normalize method. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of the Node.normalize method. Credit to Mark Dowd for reporting this issue. WebKit CVE-ID: CVE-2010-1761 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's rendering of HTML document subtrees. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved rendering of HTML document subtrees. Credit to James Robinson of Google Inc. for reporting this issue. WebKit CVE-ID: CVE-2010-1762 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A design issue exists in the handling of HTML contained in textarea elements. Visiting a maliciously crafted website may lead to a cross-site scripting attack. This issue is addressed through improved validation of textarea elements. Credit to Eduardo Vela Nava (sirdarckcat) of Google Inc. for reporting this issue. WebKit CVE-ID: CVE-2010-1764 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a website which redirects form submissions may lead to an information disclosure Description: A design issue exists in WebKit's handling of HTTP redirects. When a form submission is redirected to a website that also does a redirection, the information contained in the submitted form may be sent to the third site. This issue is addressed through improved handling of HTTP redirects. Credit to Marc Worrell of WhatWebWhat for reporting this issue. WebKit CVE-ID: CVE-2010-1770 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A type checking issue exists in WebKit's handling of text nodes. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved type checking. Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue. WebKit CVE-ID: CVE-2010-1771 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue exists in WebKit's handling of fonts. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handing of fonts. Credit: Apple. WebKit CVE-ID: CVE-2010-1774 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An out of bounds memory access issue exists in WebKit's handling of HTML tables. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to wushi of team509 for reporting this issue. WebKit Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later Impact: A maliciously crafted website may be able to determine which sites a user has visited Description: A design issue exists in WebKit's handling of the CSS :visited pseudo-class. A maliciously crafted website may be able to determine which sites a user has visited. This update limits the ability of web pages to style pages based on whether links are visited. Safari 5.0 and Safari 4.1 address the same set of security issues. Safari 5.0 is provided for Mac OS X v10.5, Mac OS X v10.6, and Windows systems. Safari 4.1 is provided for Mac OS X v10.4 systems. Safari 5.0 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/ Safari 4.1 is available via the Apple Software Update application, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Safari for Mac OS X v10.6.2 and later The download file is named: Safari5.0SnowLeopard.dmg Its SHA-1 digest is: 921b66239e2c3be4f8a1f292f958250fb420c542 Safari for Mac OS X v10.5.8 The download file is named: Safari5.0Leopard.dmg Its SHA-1 digest is: 2ba8f4e26ad7470bcfd36bdc558bb8c42460621b Safari for Mac OS X v10.4.11 The download file is named: Safari4.1Tiger.dmg Its SHA-1 digest is: 1f23f23f2c3e7b702b51abef593c12940299b73e Safari for Windows 7, Vista or XP The download file is named: SafariSetup.exe Its SHA-1 digest is: e56d5d79d9cfbb85ac46ac78aa497d7f3d8dbc3d Safari for Windows 7, Vista or XP from the Microsoft Choice Screen The download file is named: Safari_Setup.exe Its SHA-1 digest is: 735b6ec49c4f8eb12a842d2a9c5e7102d8c7bac3 Safari+QuickTime for Windows 7, Vista or XP The file is named: SafariQuickTimeSetup.exe Its SHA-1 digest is: 86e6ff58d81c0c81c6c7155346f96251acb6df93 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) iQEcBAEBAgAGBQJMDYeyAAoJEGnF2JsdZQeezFIIAJVk8rXoJS3Y91PwvuYCcfIl kc0/v8BbmzerV4E+wiHgBPLUz1g01DC5Qv/00K66lbAbH1d872IPJccmaJxnY61i wspxZD5TMxLXVS6tSqqIyAGfjGrjgOgAnZ/vTmflaob9nZ5lDNjVmAxcW6CQb7Kf bwm0c35yhog0OO5tENLH4kqZCJ1L7uJwbOWbxC3SZpb4wpxGBO6Moa59xUUFFVhu ZvWEN93MvlMIlYzc1au6TPncy4pijqxORamF91miAB8UaXAbm30SRWnXowzmjghN HkkSwkfbBnXXkeARQCqojldtQIFqTG7hGfnpZvJtvMoW1mz8RLlKKJILg9hwS4o= =mQC6 -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com