• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
APPLE-SA-2010-09-07-1 Safari 5.0.2 and Safari 4.1.2
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

APPLE-SA-2010-09-07-1 Safari 5.0.2 and Safari 4.1.2

  • Subject: APPLE-SA-2010-09-07-1 Safari 5.0.2 and Safari 4.1.2
  • From: Apple Product Security <email@hidden>
  • Date: Tue, 7 Sep 2010 15:44:04 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2010-09-07-1 Safari 5.0.2 and Safari 4.1.2

Safari 5.0.2 and Safari 4.1.2 is now available and addresses the
following:

Safari
CVE-ID:  CVE-2010-1805
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Opening a file in a directory that is writable by other
users may lead to arbitrary code execution
Description:  A search path issue exists in Safari. When displaying
the location of a downloaded file, Safari launches Windows Explorer
without specifying a full path to the executable. Launching Safari by
opening a file in a specific directory will include that directory in
the search path. Attempting to reveal the location of a downloaded
file may execute an application contained in that directory, which
may lead to arbitrary code execution. This issue is addressed by
using an explicit search path when launching Windows Explorer. This
issue does not affect Mac OS X systems. Credit to Simon Raner of
ACROS Security for reporting this issue.

WebKit
CVE-ID:  CVE-2010-1807
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later,
Windows 7, Vista, XP SP2 or later
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  An input validation issue exists in WebKit's handling
of floating point data types. Visiting a maliciously crafted website
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved validation of
floating point values. Credit to Luke Wagner of Mozilla for reporting
this issue.

WebKit
CVE-ID:  CVE-2010-1806
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later,
Windows 7, Vista, XP SP2 or later
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A use after free issue exists in WebKit's handling of
elements with run-in styling. Visiting a maliciously crafted website
may lead to an unexpected application termination or arbitrary code
execution. This issue is addressed through improved handling of
object pointers. Credit to wushi of team509, working with
TippingPoint's Zero Day Initiative for reporting this issue.


Safari 5.0.2 and Safari 4.1.2 address the same set of security
issues. Safari 5.0.2 is provided for Mac OS X v10.5, Mac OS X v10.6,
and Windows systems. Safari 4.1.2 is provided for
Mac OS X v10.4 systems.

Safari 5.0.2 is available via the Apple Software Update
application, or Apple's Safari download site at:
http://www.apple.com/safari/download/

Safari 4.1.2 is available via the Apple Software Update
application, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

Safari for Mac OS X v10.6.2 and later
The download file is named: Safari5.0.2SnowLeopard.dmg
Its SHA-1 digest is: 695730a04038240c340571abf62c08f1ad5a8a5c

Safari for Mac OS X v10.5.8
The download file is named: Safari5.0.2Leopard.dmg
Its SHA-1 digest is: 3b71a553b53b8c22e0f4f21842f500ef5d6ed0e7

Safari for Mac OS X v10.4.11
The download file is named: Safari4.1.2Tiger.dmg
Its SHA-1 digest is: 35aafd64b4a74115469bc83dc390857b896197a3

Safari for Windows 7, Vista or XP
The download file is named: SafariSetup.exe
Its SHA-1 digest is: 2ee92f29599b4bc554f9820171ad03398a15577b

Safari for Windows 7, Vista or XP from the Microsoft Choice Screen
The download file is named: Safari_Setup.exe
Its SHA-1 digest is: a3418d1a4199bcc308c059b7c2caf14a20277ebb

Safari+QuickTime for Windows 7, Vista or XP
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: 0036cb2c832bed516c3df14f01772a3906c25270

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)

iQEcBAEBAgAGBQJMkqDfAAoJEGnF2JsdZQeekLgH/0NWHxYvcnohuV5dPz3UcHAf
PTm8BkNyvsvfVFDzAI7UTItJ/+iQUgMCBQ8OCTfKW7J+uNLNS6mpiYL8AHVULUrV
elTiYkrtawyWvpmdgJa5frgqPVNyw3xytLRgJFMZyUAJ5DHGFt4HlT5UtmNygKTP
D3o5jlyg7ZBUBw/GmVzGVgWyw3ggHRWYt7PIkHCgbT/7CY8lgW1zzfB1N/5QB07g
9haA120bkzWIjgu+TXwQvy8tLGnOH8cx0FOYEg2QfXNvhJ4yxbKeyFPRUiDfQm2l
w5ADU337P6fMPYdx0q9TlXLlmraGsG34EmjFnueS+MxrVm1Pi9Bb8AcIklb1G4s=
=h9PJ
-----END PGP SIGNATURE-----

_______________________________________________
Do not post admin requests to the list. They will be ignored. Security-announce mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: This email sent to email@hidden
  • Prev by Date: APPLE-SA-2010-09-01-1 iTunes 10
  • Next by Date: APPLE-SA-2010-09-08-1 iOS 4.1 for iPhone and iPod touch
  • Previous by thread: APPLE-SA-2010-09-01-1 iTunes 10
  • Next by thread: APPLE-SA-2010-09-08-1 iOS 4.1 for iPhone and iPod touch
  • Index(es):
    • Date
    • Thread