Safari SubFrame Navigation and RSS Feed URL Bugs Let Remote Users Conduct Cross-Site Scripting Attacks and Execute Arbitrary Code
SecurityTracker Alert ID: 1019108|
SecurityTracker URL: http://securitytracker.com/id/1019108
(Links to External Site)
Updated: Dec 22 2007|
Original Entry Date: Dec 18 2007
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Two vulnerabilities were reported in Safari. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can conduct cross-site scripting attacks.|
A remote user can create a specially crafted HTML that, when loaded by the target user, will cause WebKit to navigate the subframes of arbitrary pages and execute arbitrary scripting code in the context of those pages [CVE-2007-5858]. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A remote user can create a specially crafted RSS feed that, when loaded by the target user, will execute arbitrary code on the target user's system [CVE-2007-5859]. Mac OS X versions 10.5 and later are not affected.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Perl software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.|
A remote user can cause arbitrary code to be executed on the target user's system.
The vendor has issued a fix (APPLE-SA-2007-12-17 Security Update 2007-009 v1.1), available from from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:|
For Mac OS X v10.5.1
The download file is named: "SecUpd2007-009.dmg"
Its SHA-1 digest is: 0ba35ef30a525792f1d4015395997b42f524dd38
For Mac OS X v10.4.11 (Universal)
The download file is named: "SecUpd2007-009Univ.dmg"
Its SHA-1 digest is: 49f52d4f647ea4a1fabef34cccac263bfd03791a
For Mac OS X v10.4.11 (PPC)
The download file is named: "SecUpd2007-009Ti.dmg"
Its SHA-1 digest is: d1c5c4bc23267dd846bb96e7be69b084579c1bba
The vendor has also issued Safari 3 Beta 3.0.4 Security Update v1.1 (for Windows) to correct CVE-2007-5858, available via the Apple Software Update application, or Apple's Safari download site at:
Safari for Windows XP or Vista
The download file is named: "Safari304BetaSecUpdateSetup.exe"
Its SHA-1 digest is: 44d788791fb060a97cdc9d09d9973919b181cc35
Safari+QuickTime for Windows XP or Vista
The file is named: "Safari304BetaSecUpdateQuickTimeSetup.exe"
Its SHA-1 digest is: 17ad827789d11bb3c4407a68beb6df942bfa7382
The Apple advisories are available at:
[Editor's note: The original security update 2007-009 and Safari 3 Beta 3.0.4 Security Update issued on December 17, 2007 contained a performance issue that may cause Safari to crash. On December 21, 2007, Apple issued the revised security update 2007-009 v1.1 and Safari 3 Beta 3.0.4 Security Update v1.1. Customers should apply the new update.]
Vendor URL: docs.info.apple.com/article.html?artnum=307179 (Links to External Site)
Access control error, Input validation error|
UNIX (OS X), Windows (Vista), Windows (XP)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Tue, 18 Dec 2007 00:32:48 -0500|
APPLE-SA-2007-12-17 Security Update 2007-009
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: Visiting a malicious website may result in the disclosure of
Description: WebKit allows a page to navigate the subframes of any
other page. Visiting a maliciously crafted web page could trigger a
cross-site scripting attack, which may lead to the disclosure of
sensitive information. This update addresses the issue by
implementing a stricter frame navigation policy.
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Accessing a maliciously crafted feed: URL may lead to an
application termination or arbitrary code execution
Description: A memory corruption issue exists in Safari's handling
of feed: URLs. By enticing a user to access a maliciously crafted
URL, an attacker may cause an unexpected application termination or
arbitrary code execution. This update addresses the issue by
performing additional validation of feed: URLs and providing an error
message in case of an invalid URL. This issue does not affect systems
running Mac OS X 10.5 or later.