Safari < 4.1 / 5.0 Multiple Vulnerabilities

Critical Nessus Network Monitor Plugin ID 5566

Synopsis

The remote host contains a web browser that is vulnerable to multiple attack vectors.

Description

Versions of Safari earlier than 4.1 / 5.0 are potentially affected by multiple vulnerabilities :

- A heap buffer overflow exists in the handling of images with an embedded ColorSync profile. (CVE-2009-1726)

- Safari supports the inclusion of user information in URLs, which allows the URL to specify a username and password to authenticate the user to the named server. (CVE-2010-1384)

- A use after free issue exists in Safari's management of windows. (CVE-2010-1750)

- An implementation issue exists in WebKit's handling of URLs in the clipboard. (CVE-2010-1388)

- Dragging or pasting a selection from one site to another may allow scripts contained in the selection to be executed in the context of the new site. (CVE-2010-1389)

- A cononicalization issue exists in WebKit's handling of UTF-7 encoded text. (CVE-2010-1390)

- A path traversal issue exists in WebKit's support for Local Storage and Web SQL database. (CVE-2010-1391)

- A use after free issue exists in WebKit's rendering of HTML buttons. (CVE-2010-1392)

- An information disclosure issue exists in WebKit's handling of Cascading Stylesheets. (CVE-2010-1393)

- A use after free issue exists in WebKit's handling of attribute manipulation. (CVE-2010-1119)

- A design issue exists in WebKit's handling of HTML document fragments. (CVE-2010-1394)

- An implementation issue exists in WebKit's handling of keyboard focus. (CVE-2010-1422)

- A scope management issue exists in WebKit's handling of DOM constructor objects. (CVE-2010-1395)

- A use after free issue exists in WebKit's handling of the removal of container elements. (CVE-2010-1396)

- A use after free issue exists in WebKit's rendering of a selection when the layout changes. (CVE-2010-1397)

- A memory corruption issue exists in WebKit's handling of ordered list insertions. (CVE-2010-1398)

- An uninitialized memory access issue exists in WebKit's handling of selection changes on form input elements. (CVE-2010-1399)

- A use after free issue exists in WebKit's handling of caption elements. (CVE-2010-1400)

- A use after free issue exists in WebKit's handling of the ':first-letter' pseudo-element in cascading stylesheets. (CVE-2010-1401)

- a double free issue exists in WebKit's handling of event listeners in SVG documents. (CVE-2010-1402)

- An uninitialized memory access issue exists in WebKit's handling of 'use' elements in SVG documents. (CVE-2010-1403)

- A use after free issue exists in WebKit's handling of SVG documents with multiple 'use' elements. (CVE-2010-1404)

- A memory corruption issue exists in WebKit's handling of nested 'use' elements in SVG documents. (CVE-2010-1410)

- A use after free issue exists in WebKit's handling of CSS run-ins. (CVE-2010-1749)

- A use after free issue exists in WebKit's handling of HTML elements with custom vertical positioning. (CVE-2010-1405)

- When WebKit is redirected from an HTTPS site to an HTTP site, the Referer header is passed to the HTTP site. (CVE-2010-1406)

- An integer truncation issue exists in WebKit's handling of requests to non-default TCP ports. (CVE-2010-1408)

- Common IRC service ports are not included in WebKit's port blacklist. (CVE-2010-1409)

- A use after free issue exists in WebKit's handling of hover events. (CVE-2010-1412)

- In certain circumstances, WebKit may send NTLM credentials in plain text. (CVE-2010-1413)

- A use after free issue exists in WebKit's handling of the removeChild DOM method. (CVE-2010-1414)

- An API abuse issue exists in WebKit's handling of libxml contexts. (CVE-2010-1415)

- A cross-site image capture issue exists in WebKit. (CVE-2010-1416)

- A memory corruption issue exists in WebKit's rendering of CSS-styled HTML content with multiple :after pseudo-selectors. (CVE-2010-1417)

- An input validation issue exists in WebKit's handling of the src attribute of the frame element (CVE-2010-1418)

- A use after free issue exists in WebKit's handling of drag and drop when the window acting as a source of a drag operation is closed before the drag operation is completed. (CVE-2010-1419)

- A design issue exists in the implementation of the JavaScript function execCommand. (CVE-2010-1421)

- An issue in WebKit's handling of malformed URLs may result in a cross-site scripting attack when visiting a maliciously crafted website. (CVE-2010-0544)

- A use after free issue exists in WebKit's handling of DOM Range objects. (CVE-2010-1758)

- A use after free issue exists in WebKit's handling of the Node.normalize method. (CVE-2010-1759)

- A use after free issue exist sin WebKit's rendering of HTML document subtrees. (CVE-2010-1761)

- A design issue exists in the handling of HTML contained in textarea elements. (CVE-2010-1762)

- A design issue exists in WebKit's handling of HTTP redirects. (CVE-2010-1764)

- A type checking issue exists in WebKit's handling of text nodes. (CVE-2010-1770)

- A use after free issue exists in WebKit's handling of fonts. (CVE-2010-1771)

- An out of bounds memory access issue exists in WebKit's handling of HTML tables. (CVE-2010-1774)

- A design issue exists in WebKit's handling of the CSS :visited pseudo-class.

Solution

Upgrade to Safari 4.1, 5.0, or later.

See Also

http://lists.apple.com/archives/security-announce/2010/Jun/msg00000.html

Plugin Details

Severity: Critical

ID: 5566

Family: Web Clients

Published: 2010/06/08

Modified: 2016/01/19

Dependencies: 3705

Nessus ID: 46837, 46838

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSSv3

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apple:safari

Patch Publication Date: 2010/06/07

Vulnerability Publication Date: 2010/06/07

Reference Information

CVE: CVE-2009-1726, CVE-2010-0544, CVE-2010-1119, CVE-2010-1384, CVE-2010-1385, CVE-2010-1389, CVE-2010-1390, CVE-2010-1391, CVE-2010-1392, CVE-2010-1393, CVE-2010-1394, CVE-2010-1395, CVE-2010-1396, CVE-2010-1397, CVE-2010-1398, CVE-2010-1399, CVE-2010-1400, CVE-2010-1401, CVE-2010-1402, CVE-2010-1403, CVE-2010-1404, CVE-2010-1405, CVE-2010-1406, CVE-2010-1408, CVE-2010-1409, CVE-2010-1410, CVE-2010-1412, CVE-2010-1413, CVE-2010-1414, CVE-2010-1415, CVE-2010-1416, CVE-2010-1417, CVE-2010-1418, CVE-2010-1419, CVE-2010-1421, CVE-2010-1422, CVE-2010-1749, CVE-2010-1750, CVE-2010-1758, CVE-2010-1759, CVE-2010-1761, CVE-2010-1762, CVE-2010-1764, CVE-2010-1770, CVE-2010-1771, CVE-2010-1774, CVE-2010-2264

BID: 40642, 40644, 40645, 40646, 40647, 40649, 40650, 40652, 40653, 40654, 40655, 40656, 40658, 40659, 40660, 40661, 40663, 40665, 40666, 40667, 40668, 40670, 40671, 40672, 40673, 40674, 40675, 40697, 40698, 40704, 40705, 40707, 40710, 40714, 40717, 40726, 40727, 40732, 40733, 40750, 40752, 40753, 40754, 40756