Mac OS X : Apple Safari < 6.2.2 / 7.1.2 / 8.0.2 Multiple Vulnerabilities

high Nessus Plugin ID 80055

Synopsis

The remote host contains a web browser that is affected by multiple vulnerabilities.

Description

The version of Apple Safari installed on the remote Mac OS X host is a version prior to 6.2.2 / 7.1.2 / 8.0.2. It is, therefore, affected by the following vulnerabilities in WebKit :

- An SVG loaded in an IMG element could load a CSS file cross-origin. This can allow data exfiltration.
(CVE-2014-4465)

- A UI spoofing flaw exists in the handling of scrollbar boundaries. Visiting websites that frame malicious content can allow the UI to be spoofed. (CVE-2014-1748)

- Multiple memory corruption issues exist that can lead to an unexpected application crash or potential arbitrary code execution by means of malicious website content.
(CVE-2014-4452, CVE-2014-4459, CVE-2014-4466, CVE-2014-4468, CVE-2014-4469, CVE-2014-4470, CVE-2014-4471, CVE-2014-4472, CVE-2014-4473, CVE-2014-4474, CVE-2014-4475)

Note that the 6.2.2 / 7.1.2 / 8.0.2 Safari updates include the security content of the 6.2.1 / 7.1.1 / 8.0.1 updates. These more recent updates, however, were released to fix potential issues with the installation of the previous patch release.

Solution

Upgrade to Apple Safari 6.2.2 / 7.1.2 / 8.0.2 or later.

See Also

http://support.apple.com/en-us/HT1222

http://www.securityfocus.com/archive/1/534148

http://support.apple.com/en-us/HT6597

Plugin Details

Severity: High

ID: 80055

File Name: macosx_Safari8_0_2.nasl

Version: 1.5

Type: local

Agent: macosx

Published: 12/16/2014

Updated: 11/25/2019

Supported Sensors: Nessus Agent

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2014-4466

Vulnerability Information

CPE: cpe:/a:apple:safari

Required KB Items: Host/local_checks_enabled, Host/MacOSX/Version, MacOSX/Safari/Installed

Exploit Ease: No known exploits are available

Patch Publication Date: 12/11/2014

Vulnerability Publication Date: 4/2/2014

Reference Information

CVE: CVE-2014-1748, CVE-2014-4465, CVE-2014-4466, CVE-2014-4468, CVE-2014-4469, CVE-2014-4470, CVE-2014-4471, CVE-2014-4472, CVE-2014-4473, CVE-2014-4474, CVE-2014-4475

BID: 71438, 71439, 71442, 71444, 71445, 71449, 71451, 71459, 71461, 71462, 71464

APPLE-SA: APPLE-SA-2014-12-3-1