Update your copy of the software with the download available from the supplier.
CVE-2007-4680, CVE-2008-0050, CVE-2008-1001, CVE-2008-1002, CVE-2008-1003, CVE-2008-1004, CVE-2008-1005, CVE-2008-1006, CVE-2008-1007, CVE-2008-1008, CVE-2008-1009, CVE-2008-1010, CVE-2008-1011
APPLE-SA-2008-03-18 Safari 3.1
Safari 3.1 is now available and addresses the following issues:
Safari
CVE-ID: CVE-2007-4680
Available for: Windows XP or Vista
Impact: A remote attacker may be able to cause an untrusted certificate to appear trusted
Description: An issue exists in the validation of certificates. A man-in-the-middle attacker may be able to direct the user to a legitimate site with a valid SSL certificate, then re-direct the user to a spoofed web site that incorrectly appears to be trusted. This could allow user credentials or other information to be collected.
This update addresses the issue through improved validation of certificates. This issue is addressed for Mac OS X in Security Update 2007-008, and is incorporated into Mac OS X v10.4.11 and Mac OS X
v10.5 or later. Credit to Marko Karppinen, Petteri Kamppuri, and Nikita Zhuk of MK&C for reporting this issue.
Safari
CVE-ID: CVE-2008-0050
Available for: Windows XP or Vista
Impact: A malicious proxy server may spoof secure websites
Description: A malicious HTTPS proxy server may return arbitrary data to CFNetwork in a 502 Bad Gateway error, which could allow a secure website to be spoofed. This update addresses the issue by returning an error on any proxy error, instead of returning the proxy-supplied data. This issue has already been addressed in Mac OS X 10.5.2, and in Security Update 2008-002 for Mac OS X 10.4.11 systems.
Safari
CVE-ID: CVE-2008-1001
Available for: Windows XP or Vista
Impact: Visiting a maliciously crafted website may result in cross- site scripting
Description: A cross-site scripting issue exists in Safari's error page. By enticing a user to open a maliciously crafted URL, an attacker may cause the disclosure of sensitive information. This update addresses the issue by performing additional validation of URLs. This issue does not affect Mac OS X systems. Credit to Robert Swiecki of Google Information Security Team for reporting this issue.
Safari
CVE-ID: CVE-2008-1002
Available for: Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista
Impact: Visiting a maliciously crafted website may result in cross- site scripting
Description: A cross-site scripting issue exists in the processing of javascript: URLs. Enticing a user to visit a maliciously crafted web page could allow the execution of JavaScript in the context of another site. This update addresses the issue by performing additional validation of javascript: URLs. Credit to Robert Swiecki of Google Information Security Team for reporting this issue.
WebCore
CVE-ID: CVE-2008-1003
Available for: Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista
Impact: Visiting a maliciously crafted website may result in cross- site scripting
Description: An issue exists with the handling of web pages that have explicitly set the document.domain property. This could lead to a cross-site scripting attack in sites that set the document.domain property, or between HTTP and HTTPS sites with the same document.domain. This update addresses the issue by improving same- origin checks. Credit to Adam Barth and Collin Jackson of Stanford University for reporting this issue.
WebCore
CVE-ID: CVE-2008-1004
Available for: Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista
Impact: Using Web Inspector on a maliciously crafted website may result in cross-site scripting
Description: An issue in Web Inspector allows a page being inspected to escalate its privileges by injecting script that will run in other domains and read the user's file system. This update addresses the issue by preventing Javascript code on remote pages from being run.
Credit to Collin Jackson and Adam Barth of Stanford University for reporting this issue.
WebCore
CVE-ID: CVE-2008-1005
Available for: Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista
Impact: Using Kotoeri reverse conversion on a password field displays the password
Description: The content of password fields on web pages is normally hidden to guard against disclosing it to others with the ability to see the display. An issue exists with the use of the Kotoeri input method, which could result in exposing the password field content on the display when reverse conversion is requested. This update addresses the issue by no longer exposing the content of password fields when using Kotoeri reverse conversion.
WebCore
CVE-ID: CVE-2008-1006
Available for: Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista
Impact: Visiting a maliciously crafted website may result in cross- site scripting
Description: The window.open() function may be used to change the security context of a webpage to the caller's context. Enticing a user to open a maliciously crafted page could allow an arbitrary script to be executed in the user's security context. This update addresses the issue by not allowing the security context to be changed. Credit to Adam Barth and Collin Jackson of Stanford University for reporting this issue.
WebCore
CVE-ID: CVE-2008-1007
Available for: Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista
Impact: Visiting a maliciously crafted website may result in cross- site scripting using Java
Description: The frame navigation policy is not enforced for Java applets. By enticing a user to open a maliciously crafted web page, an attacker may obtain elevated privileges through a cross-site scripting attack using Java. This update addresses the issue by enforcing the frame navigation policy for Java applets. Credit to Adam Barth and Collin Jackson of Stanford University for reporting this issue.
WebCore
CVE-ID: CVE-2008-1008
Available for: Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista
Impact: Visiting a maliciously crafted website may result in cross- site scripting
Description: A cross-site scripting issue exists in Safari's handling of the document.domain property. Enticing a user to visit a maliciously crafted web page may lead to the disclosure of sensitive information. This update addresses the issue through additional validation of the document.domain property.
WebCore
CVE-ID: CVE-2008-1009
Available for: Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista
Impact: Visiting a maliciously crafted website may result in cross- site scripting
Description: A JavaScript injection issue exists in the handling of the history object. This may allow frames to set history object properties in all other frames loaded from the same web page. An attacker may leverage this issue to inject JavaScript that will run in the context of other frames, resulting in cross-site scripting.
This update addresses the issue by no longer allowing webpages to alter the history object.
WebKit
CVE-ID: CVE-2008-1010
Available for: Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow issue exists in WebKit's handling of JavaScript regular expressions. Enticing a user to visit a maliciously crafted webpage may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy and Will Drewry of Google Security Team for reporting this issue.
WebKit
CVE-ID: CVE-2008-1011
Available for: Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista
Impact: Visiting a maliciously crafted website may result in cross- site scripting
Description: A cross-site scripting issue in WebKit allows method instances from one frame to be called in the context of another frame. Enticing a user to visit a maliciously crafted web page may lead to the disclosure of sensitive information. This update addresses the issue through improved handling of cross-domain method calls. Credit to David Bloom for reporting this issue.
Safari 3.1 is available via the Apple Software Update application, or Apple's Safari download site at:
This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.
The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.
CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.