Vulnerability Note VU#361043

Apple Safari contains a memory corruption issue in the handling of JavaScript arrays by WebKit

The Apple Webkit contains a memory corruption vulnerability.This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code.

According to Apple Security Update 2008-004:

A memory corruption issue exists in WebKit's handling of JavaScript arrays. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.



This vulnerability may affect any software that uses the Apple WebKit, including the Safari web browser.

Note that this vulnerability is reported to affect software on both the Windows and Apple OS X operating systems.

A remote, unauthenticated attacker may be able to execute arbitrary code.

Apply Apple Updates

Apple has released an update to address this vulnerability. Refer to Apple Security Update 2008-004 for more information.

http://lists.apple.com/archives/security-announce/2008/Jun/msg00001.html

http://support.apple.com/kb/HT2092

http://support.apple.com/kb/HT2165

http://support.apple.com/kb/HT2163

Credit

This vulnerability was reported in Apple Security Update 2008-004. Apple credits James Urquhart with reporting this issue.

This document was written by Ryan Giobbi.

Vulnerability Note VU#127185

Apple Safari automatically executes downloaded files based on Internet Explorer zone settings

Apple Safari automatically executes downloaded files based on Internet Explorer zone settings, which can allow a remote attacker to execute arbitrary code on a vulnerable system.

Apple Safari is a web browser that is available for OS X and Microsoft Windows platforms. Apple Safari for Microsoft Windows will modify its behavior based on the Internet Explorer security zone settings. One of the Internet Explorer zone settings that Safari queries is URLACTION_SHELL_EXECUTE_HIGHRISK, which is stored as registry value 1806 in the Internet Explorer URL Security Zone section of the Windows registry. If this value is set to "allowed" for the associated URL Security Zone, Safari will automatically execute files, which are also automatically downloaded from the website.

For the Trusted Sites and Local Intranet zones on Internet Explorer 6 systems, this value defaults to 0x00, which indicates that the action is "allowed." This URL Security Zone setting appears to have no representation in the GUI for configuring the zones on Internet Explorer 6 systems. This means that no matter how the Trusted Sites or Local Intranet zones are configured using the graphical interface for Internet Explorer, Safari will automatically execute files that are downloaded from sites that reside in these zones.



Internet Explorer 7 systems expose the URLACTION_SHELL_EXECUTE_HIGHRISK URL Security Zone setting as "Launching applications and unsafe files" in the Internet Explorer zone security configuration dialog. This value defaults to 0x01 for the Trusted Sites zone, and 0x00 for the Local Intranet zone, which correlate to "prompt" and "allow," respectively. This means that by default, any site in the Local Intranet zone on Internet Explorer 7 systems can cause Safari to automatically execute downloaded files. Safari will automatically execute downloaded files in other zones if the "Launching applications and unsafe files" option is set to "allow."

II. Impact

By convincing a user to visit a specially crafted web page with Apple Safari on Windows, an attacker may be able to execute arbitrary code on a vulnerable system.

Apply an update

This issue is addressed in Safari for Windows 3.1.2. Please see the Apple Security Update for more details. This version of Safari will prompt the user before downloading or executing files.

http://support.apple.com/kb/HT2092

http://msdn.microsoft.com/en-us/library/ms537183.aspx

Credit

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Vulnerability Note VU#132419

Apple QuickTime "file: URL" arbitrary code execution

Apple QuickTime does not properly handle "file: URLs" which may allow an attacker to execute arbitrary code.

Apple QuickTime is a multiplatform multimedia software architecture which provides file format converters for more than 250 common image, video, and audio file formats.

Per the Apple advisory About the security content of QuickTime 7.5:

A URL handling issue exists in QuickTime's handling of file: URLs. This may allow arbitrary applications and files to be launched when a user plays maliciously crafted QuickTime content in QuickTime Player.

By convincing a user to play a maliciously crafted QuickTime file, an attacker may be able to execute arbitrary code on a vulnerable system.

Apple has addressed this vulnerability in QuickTime 7.5 release.

http://support.apple.com/kb/HT1991

Credit

Apple credits to Vinoo Thomas and Rahul Mohandas of McAfee Avert Labs, and Petko D. (pdp) Petkov of GNUCITIZEN working with TippingPoint's Zero Day Initiative for reporting this issue.

This document was written by Joseph Pruszynski.

Vulnerability Note VU#566875

Apple Help Viewer vulnerable to buffer overflow

A vulnerability in the way Apple Help Viewer handles specially crafted URLs may allow an attacker to execute arbitrary code or cause a denial of service.

According to Apple Security Update 2008-003:

An integer underflow in Help Viewer's handling of help:topic URLs may result in a buffer overflow. Accessing a malicious help:topic URL may lead to an unexpected application termination or arbitrary code execution.

A remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial of service.

Apply Update

This issue is addressed in Apple Security Update 2008-003. An update for Mac OS X is available on Apple Downloads and via Software Update.

http://lists.apple.com/archives/security-announce/2008/May/msg00001.html

Credit

This issue was reported in Apple Security Update 2008-003. Apple credits Paul Haddad of PTH with reporting this issue.

This document was written by Chris Taschner.

Vulnerability Note VU#705529

Apple Safari WebKit fails to properly handle a crafted URL

A vulnerability in the way Apple Mac OS X handles specially crafted URLs may allow an attacker to execute script in the context of another site..

According to Apple Safari 3.1.1:

An issue exists in WebKit's handling of URLs containing a colon character in the host name. Opening a maliciously crafted URL may lead to a cross-site scripting attack. This update addresses the issue through improved handling of URLs.

This vulnerability may allow an attacker to execute script in the context of another site.

Apply Apple Updates

Apple has released an update to address this vulnerability. Refer to Apple Safari 3.1.1.

http://support.apple.com/kb/HT1467

Credit

This issue is adressed in Apple Safari 3.1.1. Apple credits Robert Swiecki of the Google Security Team, and David Bloom for reporting this issue.

This document was written by Chris Taschner.