Apple Safari AutoFill Discloses Potentially Sensitive Information to Remote Users
|
|
SecurityTracker Alert ID: 1024242 |
|
SecurityTracker URL: http://securitytracker.com/id/1024242
|
|
CVE Reference:
CVE-2010-1796
(Links to External Site)
|
Updated: Jul 28 2010
|
Original Entry Date: Jul 23 2010
|
Impact:
Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 4, 5
|
Description:
A vulnerability was reported in Apple Safari. A remote user can obtain potentially sensitive information.
A remote user can create specially crafted HTML that, when loaded by the target user, will access information from the personal Address Book cards on the target user's system.
The vendor was notified on June 17, 2010.
Patrice Neff and Jeremiah Grossman reported this vulnerability.
Demonstration exploit code is available at:
http://ha.ckers.org/weird/safari_autofill.html
The original advisories are available at:
http://jeremiahgrossman.blogspot.com/2010/07/i-know-who-your-name-where-you-work-and.html
http://weblog.patrice.ch/2009/04/09/safari-autofill-birthday.html
|
Impact:
A remote user can obtain information from the personal address book cards.
|
Solution:
The vendor has issued a fix (4.1.1, 5.0.1).
The vendor's advisory is available at:
http://support.apple.com/kb/HT4276
|
Vendor URL: support.apple.com/kb/HT4276 (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
UNIX (OS X), Windows (7), Windows (Vista), Windows (XP)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 23 Jul 2010 18:52:19 +0000
Subject: Apple Safari
|
http://jeremiahgrossman.blogspot.com/2010/07/i-know-who-your-name-where-you-work-and.html
|
|
