Ranjivosti u radu paketa Safari

U radu programskog paketa Safari uočene su sigurnosne ranjivosti koje udaljenom napadaču omogućuju zaobilaženje pojedinih ograničenja, izvođenje DoS napada i pokretanje proizvoljnog programskog koda.

Paket:	Safari 5.x
Operacijski sustavi:	Apple Mac OS X 10.6, Apple Mac OS X 10.7, Microsoft Windows XP, Microsoft Windows Vista, Microsoft Windows 7
Kritičnost:	7.4
Problem:	korupcija memorije, pogreška u programskoj komponenti, XSS
Iskorištavanje:	udaljeno
Posljedica:	proizvoljno izvršavanje programskog koda, uskraćivanje usluga (DoS), zaobilaženje postavljenih ograničenja
Rješenje:	programska zakrpa proizvođača
CVE:	CVE-2011-3046, CVE-2011-3056, CVE-2012-0672, CVE-2012-0676
Izvorni ID preporuke:	APPLE-SA-2012-05-09
Izvor:	Apple

Problem:
Ranjivosti su uzrokovane neodgovarajućim upravljanjem poviješću (eng. history) u podsustavu "extension", korupcijom memorije te višestrukim XSS pogreškama.
Posljedica:
Napadači mogu iskoristiti nedostatke za DoS napad, izvršavanje proizvoljnog programskog koda i zaobilaženje pojedinih ograničenja.
Rješenje:
Korisnicima se savjetuje korištenje odgovarajuće nadogradnje.

Izvorni tekst preporuke

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2012-05-09-2 Safari 5.1.7

Safari 5.1.7 is now available and addresses the following:

WebKit
Available for:  Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.4, OS X Lion Server v10.7.4, Windows 7, Vista,
XP SP2 or later
Impact:  Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description:  Multiple cross-site scripting issues existed in WebKit.
CVE-ID
CVE-2011-3046 : Sergey Glazunov working with Google's Pwnium contest
CVE-2011-3056 : Sergey Glazunov

WebKit
Available for:  Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.4, OS X Lion Server v10.7.4, Windows 7, Vista,
XP SP2 or later
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue existed in WebKit.
CVE-ID
CVE-2012-0672 : Adam Barth and Abhishek Arya of the Google Chrome
Security Team

WebKit
Available for:  Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.4, OS X Lion Server v10.7.4, Windows 7, Vista,
XP SP2 or later
Impact:  A maliciously crafted website may be able to populate form
inputs on another website with arbitrary values
Description:  A state tracking issue existed in WebKit's handling of
forms.
CVE-ID
CVE-2012-0676 : Andreas Akre Solberg of UNINETT AS, Aaron Roots of
Deakin University ITSD, Tyler Goen

Note: In addition, this update disables Adobe Flash Player if it
is older than 10.1.102.64 by moving its files to a new directory.
This update presents the option to install an updated version of
Flash Player from the Adobe website.


Safari 5.1.7 is available via the Apple Software Update
application, or Apple's Safari download site at:
http://www.apple.com/safari/download/

Safari for OS X Lion v10.7.4
The download file is named: Safari5.1.7LionManual.dmg
Its SHA-1 digest is: 5024eb2e358feb6b87d6eff15438bf7ae99619b4

Safari for Mac OS X v10.6.8
The download file is named: Safari5.1.7SnowLeopardManual.dmg
Its SHA-1 digest is: 32d1dca993b455bc5c230caef95ab70c702e6fee

Safari for Windows 7, Vista or XP
The download file is named: SafariSetup.exe
Its SHA-1 digest is: f601df0106987bfffc3f22b046ba835e4f8d29c6

Safari for Windows 7, Vista or XP from the Microsoft Choice Screen
The download file is named: Safari_Setup.exe
Its SHA-1 digest is: 193eaddae1d25dd1b0f8786a810de083fc9280b0

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iQEcBAEBAgAGBQJPqtgCAAoJEGnF2JsdZQeeIvQIAIIbdrlsjYRAiMAEK/o4QwkF
M4EIDhqpDPnjDFBcT39vqapEPt4btYp0x+464bNRyU9ex4bY7NGPzaKTS/bdcnXJ
BbpmR8rFluCRZ3AIyFSYPvKImsoyp5IZ91lTIxes1E4j+ed1diXEpLlt8Pp4K3Fc
w2hao+KBKYCUKcjy49whKC0+6jnQWPoP7lPl9gjVyM/fky4K2J/F2c2saXHTDS9l
L3CU4+0jA6INzY2NN2j3jdSZgglLgRcDvF3dAriNhW0Wlyd6ucuTxULbC1cS0mRs
w4stMTnMzdgKsy13kE2tBQAf3rguM1PzlJAlOZMw9Ad/O6lU+8uaJ8AmBygVpq4=
=x2Jz
-----END PGP SIGNATURE-----
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/security-announce/advisory%40lss.hr

This email sent to Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.

Ranjivosti u radu paketa Safari

Tražilica portala

Aktivnosti

O CIS-u

Posljednje vijesti

Posljednji dokumenti

Ranjivosti u radu paketa Safari

Tražilica portala

Aktivnosti

O CIS-u

Posljednje sigurnosne preporuke

Posljednje vijesti

Popularni članci

Posljednji dokumenti