Defense in Depth Subscribe to Defense in Depth
March 18, 2008 11:56 AM PDT

Safari 3.1 update fixes 13 security flaws

Posted by Robert Vamosi

Apple on Tuesday released Safari 3.1 for users on Mac OS X and Windows. Along with new features are 13 security updates for the Safari browser, WebCore, and WebKit. Most of the vulnerabilities address cross-site scripting flaws. A cross-site scripting attack can inject malicious code onto a victim's computer usually via a script tag appended to a specially formed URL. The Security Update APPLE-SA-2008-03-18 can be downloaded and installed from Apple Downloads, or you can simply download the new version of Safari 3.1 directly.

Safari--certificate validation
This patch only affects users of Safari on Windows XP or Vista. The update addresses a certificate validation vulnerability in CVE-2007-4680. A remote attacker may be able to cause a certificate to appear trusted. According to Apple "a man-in-the-middle attacker may be able to direct the user to a legitimate site with a valid SSL certificate, then re-direct the user to a spoofed web site that incorrectly appears to be trusted. This could allow user credentials or other information to be collected." Apple notes that this issue does not affect systems prior to Mac OS X v10.5. Apple credits Marko Karppinen, Petteri Kamppuri, and Nikita Zhuk of MK&C for reporting this vulnerability.

Safari--malicious proxy server
This patch affects users of Safari running on Windows XP or Vista. The update addresses a malicious proxy server vulnerability in CVE-2008-0050. A removed application may still be launched via the Time Machine backup. Apple says "a malicious HTTPS proxy server may return arbitrary data to CFNetwork in a 502 Bad Gateway error, which could allow a secure website to be spoofed. This update addresses the issue by returning an error on any proxy error, instead of returning the proxy-supplied data." Apple also says that this issue has been addressed within Mac OS X 10.5.2, and in Security Update 2008-002 for Mac OS X 10.4.11 systems.

Safari--cross-site scripting 1
This patch only affects users of Safari on Windows XP or Vista and addresses a cross-site scripting vulnerability in CVE-2008-1001. Apple says "by enticing a user to open a maliciously crafted URL, an attacker may cause the disclosure of sensitive information. This update addresses the issue by performing additional validation of URLs." Apple credits Robert Swiecki of Google Information Security Team for reporting this issue.

Safari--cross-site scripting 2
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista. The update addresses a JavaScript: URLs cross-site scripting vulnerability in CVE-2008-1002. Apple says "a cross-site scripting issue exists in the processing of JavaScript: URLs. Enticing a user to visit a maliciously crafted web page could allow the execution of JavaScript in the context of another site." Apple credits Robert Swiecki of Google Information Security Team for reporting this issue.

WebCore--document.domain
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista. The update addresses a document.domain vulnerability in CVE-2008-1003. Apple says "an issue exists with the handling of web pages that have explicitly set the document.domain property. This could lead to a cross-site scripting attack in sites that set the document.domain property, or between HTTP and HTTPS sites with the same document.domain." Apple credits Adam Barth and Collin Jackson of Stanford University for reporting this issue.

WebCore--Web Inspector
This patch affects users of Mac OS X v10.5 and v10.5.1 and Mac OS X Server v10.5 and v10.5.1. The update addresses a Web Inspector vulnerability in CVE-2008-1004. Affected users may find that requesting to unblock a website leads to information disclosure. Apple says "an issue in Web Inspector allows a page being inspected to escalate its privileges by injecting script that will run in other domains and read the user's file system. This update addresses the issue by preventing JavaScript code on remote pages from being run." Apple credits Collin Jackson and Adam Barth of Stanford University for reporting this issue.

WebCore--password
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista. The update addresses a password vulnerability in CVE-2008-1005. Apple says "the content of password fields on web pages is normally hidden to guard against disclosing it to others with the ability to see the display. An issue exists with the use of the Kotoeri input method, which could result in exposing the password field content on the display when reverse conversion is requested."

WebCore--window.open() function
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista. The update addresses the window.open() function vulnerability in CVE-2008-1006. Apple says "the window.open() function may be used to change the security context of a webpage to the caller's context. Enticing a user to open a maliciously crafted page could allow an arbitrary script to be executed in the user's security context." Apple credits Adam Barth and Collin Jackson of Stanford University for reporting this issue.

WebCore--frame navigation policy
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista and addresses the frame navigation policy vulnerability in CVE-2008-1007. Apple says visiting a maliciously crafted website with Java enabled may result in cross- site scripting. Apple says "by enticing a user to open a maliciously crafted web page, an attacker may obtain elevated privileges through a cross-site scripting attack using Java." Apple credits Adam Barth and Collin Jackson of Stanford University for reporting this vulnerability.

WebCore--document.domain
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista. The update addresses a document.domain vulnerability in CVE-2008-1008. Apple says "a cross-site scripting issue exists in Safari's handling of the document.domain property. Enticing a user to visit a maliciously crafted web page may lead to the disclosure of sensitive information."

WebCore--JavaScript injection
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista. The update addresses a JavaScript injection vulnerability in CVE-2008-1009. Apple says "JavaScript injection issue exists in the handling of the history object. This may allow frames to set history object properties in all other frames loaded from the same web page. An attacker may leverage this issue to inject JavaScript that will run in the context of other frames, resulting in cross-site scripting."

WebKit--buffer overflow
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista. The update addresses the vulnerability in CVE-2008-0010. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Apple says "a buffer overflow issue exists in WebKit's handling of JavaScript regular expressions. Enticing a user to visit a maliciously crafted webpage may lead to an unexpected application termination or arbitrary code execution." Apple credits Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy and Will Drewry of Google Security Team for reporting this vulnerability.

WebKit--cross-site scripting
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista. The update addresses the vulnerability in CVE-2008-0011. Apple says "a cross-site scripting issue in WebKit allows method instances from one frame to be called in the context of another frame. Enticing a user to visit a maliciously crafted web page may lead to the disclosure of sensitive information." Apple credits David Bloom for reporting this vulnerability.

Topics:

Security

Tags:

security,

Apple

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from Defense in Depth
ZoneAlarm virtualizes the desktop Internet browser
Yahoo e-mail accounts compromised for spammers' use
Skeleton key unlocks Microsoft SQL servers in latest Web attack
Web browsers and other mistakes
Goodbye Storm, Hello Srizbi
Powered by Jive Software
advertisement
Click Here

  • About Defense in Depth

  • With over eight years at CNET covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews with the top security researchers making the news as well as offering the hands-on, non-technical advice you'll need to stay safe online.

Add this feed to your online news reader
Google
Yahoo
MSN

Defense in Depth topics

Latest blog posts from News.com

Featured blogs

Beyond Binary by Ina Fried A look at how technology is changing our lives and at the people behind all that life-changing stuff.

Coop's Corner by Charles Cooper Charles Cooper weighs in on Silicon Valley hijinks, and he doesn't suffer fools gladly.

Geek Gestalt by Daniel Terdiman At the tech culture nexus of video games, fire art, and virtual worlds.

Green Tech Fresh green tech news and commentary.

One More Thing by Tom Krazit Tom Krazit takes on the tech phenomenon that is Apple, and keeps a close watch on the chip industry.

Outside the Lines by Dan Farber When business and technology meet, that's when things get interesting.

The Iconoclast by Declan McCullagh Exploring the intersection of politics and technology.

The Social by Caroline McCarthy Exploring all facets of social media and tech culture.

Underexposed by Stephen Shankland Coverage of digital photography, science, and open-source software.

advertisement
Click Here
Welcome (log out) |View profile
Log in | Sign up Why join?
On TechRepublic: 10 ways users mess up their computers
Advanced
search
advertisementStart Doing More with Windows Mobile
Advanced
search
Visit other CNET Networks sites: