TECHNICAL BULLETIN
TECHNICAL BULLETIN
| PROBLEM: | Apple Safari Code Execution and Security Bypass Vulnerabilities |
| PLATFORM: | Versions prior to Apple Safari 4.0.3 are vulnerable: Mac OS X v10.4.11 Mac OS X Server v10.4.11 Mac OS X v10.5.7 Mac OS X Server v10.5.7 Windows XP and Vista |
| ABSTRACT: | Apple has released Safari 4.0.3 for Windows and Mac OS X to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or spoof a website. |
| LINKS: | |
| DOE-CIRC BULLETIN: | http://www.doecirc.energy.gov/bulletins/t-208.shtml |
| OTHER LINKS: |
Security Focus http://www.securityfocus.com/bid/36022/info Apple http://support.apple.com/kb/HT1338 http://support.apple.com/kb/HT3733 http://support.apple.com/downloads/Safari_4_0_3 US-CERT http://www.us-cert.gov/current/index.html#apple_releases_safari_4_02 Secure Thoughts http://securethoughts.com/2009/08/hijacking-safari-4-top-sites-with-phish-bombs/ |
| CVE: |
CVE-2009-2468 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2468 CVE-2009-2188 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2188 CVE-2009-2196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2196 CVE-2009-2195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2195 CVE-2009-2200 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2200 CVE-2009-2199 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2199 |
| IMPACT ASSESSMENT: | This risk is is high. This vulnerability may allow an attacker to execute arbitrary code, cause a denial-of-service condition and obtain sensitive information. |
ABSTRACT: Apple has released Safari 4.0.3 for Windows and Mac OS X to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or spoof a website. CoreGraphics (CVE-2009-2468) Description: A heap buffer overflow exists in the drawing of long text strings. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Will Drewry of Google Inc for reporting this issue. ImageIO (CVE-2009-2188) Description: A buffer overflow exists in the handling of EXIF metadata. Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Safari (CVE-2009-2196) Description: Safari 4 introduced the Top Sites feature to provide an at-a-glance view of a user's favorite websites. It is possible for a malicious website to promote arbitrary sites into the Top Sites view through automated actions. This could be used to facilitate a phishing attack. This issue is addressed by preventing automated website visits from affecting the Top Sites list. Only websites that the user visits manually can be included in the Top Sites list. As a note, Safari enables fraudulent site detection by default. Since the introduction of the Top Sites feature, fraudulent sites are not displayed in the Top Sites view. Credit to Inferno of SecureThoughts.com for reporting this issue. Additional information on this vulnerability with Proof of Concept can be found at http://securethoughts.com/2009/08/hijacking-safari-4-top-sites-with-phish-bombs/. WebKit (CVE-2009-2195) Description: A buffer overflow exists in WebKit's parsing of floating point numbers. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit: Apple. WebKit (CVE-2009-2200) Description: WebKit allows the pluginspage attribute of the 'embed' element to reference file URLs. Clicking "Go" in the dialog that appears when an unknown plug-in type is referenced will redirect to the URL listed in the pluginspage attribute. This may allow a remote attacker to launch file URLs in Safari, and lead to the disclosure of sensitive information. This update addresses the issue by restricting the pluginspage URL scheme to http or https. Credit to Alexios Fakos of n.runs AG for reporting this issue. WebKit (CVE-2009-2199) Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious website to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by supplementing WebKit's list of known look-alike characters. Look-alike characters are rendered in Punycode in the address bar. Credit to Chris Weber of Casaba Security, LLC for reporting this issue. Additional information on this vulnerability with Proof of Concept can be found at http://securethoughts.com/2009/08/hijacking-safari-4-top-sites-with-phish-bombs/. CVE-2009-2468 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2468 CVE-2009-2188 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2188 CVE-2009-2196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2196 CVE-2009-2195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2195 CVE-2009-2200 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2200 CVE-2009-2199 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2199 Security Focus http://www.securityfocus.com/bid/36022/info Apple http://support.apple.com/kb/HT1338 http://support.apple.com/kb/HT3733 http://support.apple.com/downloads/Safari_4_0_3 US-CERT http://www.us-cert.gov/current/index.html#apple_releases_safari_4_02 Secure Thoughts http://securethoughts.com/2009/08/hijacking-safari-4-top-sites-with-phish-bombs/ SOLUTION: Upgrade to Safari 4.0.3. Apple security updates are available via the Software Update mechanism: http://support.apple.com/kb/HT1338 Apple security updates are also available for manual download via: http://www.apple.com/support/downloads/
Voice: 866-941-2472
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov