Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Safari < 10.1.2 Multiple Vulnerabilities

High

Synopsis

The remote host has a web browser installed that is affected by multiple attack vectors.

Description

Versions of Safari prior to 10.1.2 are affected by multiple vulnerabilities :

- An information disclosure vulnerability exists in the WebKit component due to improper handling of SVG filters. An unauthenticated, remote attacker can exploit this, via a timing side-channel attack, to disclose sensitive cross-domain information. (CVE-2017-7006) - An unspecified flaw exists that allows an unauthenticated, remote attacker to spoof the address bar via a specially crafted website. (CVE-2017-7011) - Multiple memory corruption issues exists in the 'WebKit Web Inspector' component due to improper validation of input. An unauthenticated, remote attacker can exploit these issues, via a specially crafted web page, to execute arbitrary code. (CVE-2017-7012) - Multiple memory corruption issues exist in the WebKit component due to improper validation of input. An unauthenticated, remote attacker can exploit these issues, via a specially crafted web page, to execute arbitrary code. (CVE-2017-7018, CVE-2017-7020, CVE-2017-7030, CVE-2017-7034, CVE-2017-7037, CVE-2017-7039, CVE-2017-7040, CVE-2017-7041, CVE-2017-7042, CVE-2017-7043, CVE-2017-7046, CVE-2017-7048, CVE-2017-7049, CVE-2017-7052, CVE-2017-7055, CVE-2017-7056, CVE-2017-7061) - A memory corruption issue exists in the 'WebKit Page Loading' component due to improper validation of input. An unauthenticated, remote attacker can exploit this, via a specially crafted web page, to execute arbitrary code. (CVE-2017-7019) - Multiple cross-site scripting (XSS) vulnerabilities exist in the WebKit component in the DOMParser due to improper validation of user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit these issue, via a specially crafted URL, to execute arbitrary script code in a user's browser session. (CVE-2017-7038, CVE-2017-7059) - A denial of service vulnerability exists in the Safari Printing component. An unauthenticated, remote attacker can exploit this, via a specially crafted web page, to create an infinite number of print dialogs. (CVE-2017-7060) - An unspecified memory initialization flaw exists in WebKit. A local attacker can exploit this, via a specially crafted application, to disclose restricted memory. (CVE-2017-7064)

Solution

Upgrade to Safari version 10.1.2 or later.