Detections
Analytics

Safari < 4.1 / 5.0 Multiple Vulnerabilities

high Log Correlation Engine Plugin ID 801012

Synopsis

The remote host contains a web browser that is vulnerable to multiple attack vectors.

Description

Versions of Safari earlier than 4.1 / 5.0 are potentially affected by multiple vulnerabilities :

 - A heap buffer overflow exists in the handling of images with an embedded ColorSync profile. (CVE-2009-1726)

 - Safari supports the inclusion of user information in URLs, which allows the URL to specify a username and password to authenticate the user to the named server. (CVE-2010-1384)

 - A use after free issue exists in Safari's management of windows. (CVE-2010-1750)

 - An implementation issue exists in WebKit's handling of URLs in the clipboard. (CVE-2010-1388)

 - Dragging or pasting a selection from one site to another may allow scripts contained in the selection to be executed in the context of the new site. (CVE-2010-1389)

 - A cononicalization issue exists in WebKit's handling of UTF-7 encoded text. (CVE-2010-1390)

 - A path traversal issue exists in WebKit's support for Local Storage and Web SQL database. (CVE-2010-1391)

 - A use after free issue exists in WebKit's rendering of HTML buttons. (CVE-2010-1392)

 - An information disclosure issue exists in WebKit's handling of Cascading Stylesheets. (CVE-2010-1393)

 - A use after free issue exists in WebKit's handling of attribute manipulation. (CVE-2010-1119)

 - A design issue exists in WebKit's handling of HTML document fragments. (CVE-2010-1394)

 - An implementation issue exists in WebKit's handling of keyboard focus. (CVE-2010-1422)

 - A scope management issue exists in WebKit's handling of DOM constructor objects. (CVE-2010-1395)

 - A use after free issue exists in WebKit's handling of the removal of container elements. (CVE-2010-1396)

 - A use after free issue exists in WebKit's rendering of a selection when the layout changes. (CVE-2010-1397)

 - A memory corruption issue exists in WebKit's handling of ordered list insertions. (CVE-2010-1398)

 - An uninitialized memory access issue exists in WebKit's handling of selection changes on form input elements. (CVE-2010-1399)

 - A use after free issue exists in WebKit's handling of caption elements. (CVE-2010-1400)

 - A use after free issue exists in WebKit's handling of the ':first-letter' pseudo-element in cascading stylesheets. (CVE-2010-1401)

 - a double free issue exists in WebKit's handling of event listeners in SVG documents. (CVE-2010-1402)

 - An uninitialized memory access issue exists in WebKit's handling of 'use' elements in SVG documents. (CVE-2010-1403)

 - A use after free issue exists in WebKit's handling of SVG documents with multiple 'use' elements. (CVE-2010-1404)

 - A memory corruption issue exists in WebKit's handling of nested 'use' elements in SVG documents. (CVE-2010-1410)

 - A use after free issue exists in WebKit's handling of CSS run-ins. (CVE-2010-1749)

 - A use after free issue exists in WebKit's handling of HTML elements with custom vertical positioning. (CVE-2010-1405)

 - When WebKit is redirected from an HTTPS site to an HTTP site, the Referer header is passed to the HTTP site. (CVE-2010-1406)

 - An integer truncation issue exists in WebKit's handling of requests to non-default TCP ports. (CVE-2010-1408)

 - Common IRC service ports are not included in WebKit's port blacklist. (CVE-2010-1409)

 - A use after free issue exists in WebKit's handling of hover events. (CVE-2010-1412)

 - In certain circumstances, WebKit may send NTLM credentials in plain text. (CVE-2010-1413)

 - A use after free issue exists in WebKit's handling of the removeChild DOM method. (CVE-2010-1414)

 - An API abuse issue exists in WebKit's handling of libxml contexts. (CVE-2010-1415)

 - A cross-site image capture issue exists in WebKit. (CVE-2010-1416)

 - A memory corruption issue exists in WebKit's rendering of CSS-styled HTML content with multiple :after pseudo-selectors. (CVE-2010-1417)

 - An input validation issue exists in WebKit's handling of the src attribute of the frame element (CVE-2010-1418)

 - A use after free issue exists in WebKit's handling of drag and drop when the window acting as a source of a drag operation is closed before the drag operation is completed. (CVE-2010-1419)

 - A design issue exists in the implementation of the JavaScript function execCommand. (CVE-2010-1421)

 - An issue in WebKit's handling of malformed URLs may result in a cross-site scripting attack when visiting a maliciously crafted website. (CVE-2010-0544)

 - A use after free issue exists in WebKit's handling of DOM Range objects. (CVE-2010-1758)

 - A use after free issue exists in WebKit's handling of the Node.normalize method. (CVE-2010-1759)

 - A use after free issue exist sin WebKit's rendering of HTML document subtrees. (CVE-2010-1761)

 - A design issue exists in the handling of HTML contained in textarea elements. (CVE-2010-1762)

 - A design issue exists in WebKit's handling of HTTP redirects. (CVE-2010-1764)

 - A type checking issue exists in WebKit's handling of text nodes. (CVE-2010-1770)

 - A use after free issue exists in WebKit's handling of fonts. (CVE-2010-1771)

 - An out of bounds memory access issue exists in WebKit's handling of HTML tables. (CVE-2010-1774)

 - A design issue exists in WebKit's handling of the CSS :visited pseudo-class.

Solution

Upgrade to Safari 4.1, 5.0, or later.

See Also

lists.apple.com/archives/security-announce/2010/Jun/msg00000.html

Plugin Details

Severity: High

ID: 801012

Family: Web Clients

Published: 6/8/2010

Nessus ID: 46837, 46838

Risk Information

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

Patch Publication Date: 6/7/2010

Vulnerability Publication Date: 6/7/2010

Reference Information

CVE: CVE-2009-1726, CVE-2010-0544, CVE-2010-1119, CVE-2010-1384, CVE-2010-1385, CVE-2010-1388, CVE-2010-1389, CVE-2010-1390, CVE-2010-1391, CVE-2010-1392, CVE-2010-1393, CVE-2010-1394, CVE-2010-1395, CVE-2010-1396, CVE-2010-1397, CVE-2010-1398, CVE-2010-1399, CVE-2010-1400, CVE-2010-1401, CVE-2010-1402, CVE-2010-1403, CVE-2010-1404, CVE-2010-1405, CVE-2010-1406, CVE-2010-1408, CVE-2010-1409, CVE-2010-1410, CVE-2010-1412, CVE-2010-1413, CVE-2010-1414, CVE-2010-1415, CVE-2010-1416, CVE-2010-1417, CVE-2010-1418, CVE-2010-1419, CVE-2010-1421, CVE-2010-1422, CVE-2010-1749, CVE-2010-1750, CVE-2010-1758, CVE-2010-1759, CVE-2010-1761, CVE-2010-1762, CVE-2010-1764, CVE-2010-1770, CVE-2010-1771, CVE-2010-1774, CVE-2010-2264

BID: 40644, 40646, 40647, 40649, 40650, 40653, 40654, 40655, 40656, 40658, 40659, 40660, 40661, 40663, 40665, 40666, 40667, 40668, 40670, 40671, 40672, 40675, 40697, 40698, 40705, 40707, 40710, 40714, 40726, 40727, 40732, 40750, 40753, 40754, 40756, 35954, 40620, 40642, 40645, 40652, 40673, 40674, 40704, 40717, 40733, 40752