Detalji

Uočene su dvije nepravilnosti u Internet pregledniku Safari koje su posljedica pogrešaka vezanih uz Webkit koji Safari koristi. Jedna od ranjivosti se očituje kao cjelobrojno prepisivanje u Webkit alatu pri obradi podataka o stilu, a druga kao korupcija memorije pri obradu teksta. Obje ranjivosti mogu iskoristiti udaljeni napadači navođenjem korisnika na otvaranje posebno oblikovane web stranice. Ukoliko u tome uspiju, napadač može iskoristiti ranjivosti za izvođenje proizvoljnog programskog koda ili DoS napad. Korisnici se potiču na korištenje nadogradnje.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2011-04-14-3 Safari 5.0.5

Safari 5.0.5 is now available and addresses the following:

WebKit
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.5 or later, Mac OS X Server v10.6.5 or later,
Windows 7, Vista, XP SP2 or later
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  An integer overflow issue existed in the handling of
nodesets. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2011-1290 : Vincenzo Iozzo, Willem Pinckaers, Ralf-Philipp
Weinmann, and an anonymous researcher working with TippingPoint's
Zero Day Initiative

WebKit
Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.5 or later, Mac OS X Server v10.6.5 or later,
Windows 7, Vista, XP SP2 or later
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A use after free issue existed in the handling of text
nodes. Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2011-1344 : Vupen Security working with TippingPoint's Zero Day
Initiative, and Martin Barbella


Note:

Certificate Trust Policy

Several fraudulent SSL certificates were issued by a Comodo affiliate
registration authority. This may allow a man-in-the-middle attacker
to redirect connections and intercept user credentials or other
sensitive information. Safari relies on the certificate store of the
host operating system to determine if an SSL server certificate is
trustworthy. For Mac OS X systems, this issue is addressed with
Security Update 2011-002. For iOS, this issue is addressed with iOS
4.3.2 and iOS 4.2.7. For Windows systems, applying the update
described in Microsoft Knowledge Base Article 2524375 will cause
Safari to regard these certificates as untrusted. The article is
available at http://support.microsoft.com/kb/2524375


Safari 5.0.5 is available via the Apple Software Update
application, or Apple's Safari download site at:
http://www.apple.com/safari/download/

Safari for Mac OS X v10.6.5 and later
The download file is named: Safari5.0.5SnowLeopard.dmg
Its SHA-1 digest is: 631cd280171938491c45a905e24904e7739eaefe

Safari for Mac OS X v10.5.8
The download file is named: Safari5.0.5Leopard.dmg
Its SHA-1 digest is: 661cdb68ca33b8eb41f20be837eb6a1c12289876

Safari for Windows 7, Vista or XP
The download file is named: SafariSetup.exe
Its SHA-1 digest is: c2c6b1f5c04af7f24d2474e4b2597d40dddaeca2

Safari for Windows 7, Vista or XP from the Microsoft Choice Screen
The download file is named: Safari_Setup.exe
Its SHA-1 digest is: e245b935fc0aaec31a512fa0ab9dce2dcec0b2f8

Safari+QuickTime for Windows 7, Vista or XP
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: 5f1455cd2290e9ced03dfbb6ea57b4c2931446a5

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)

iQEcBAEBAgAGBQJNphlUAAoJEGnF2JsdZQee1GkH/iuQ6LP4y5nBIDA9aEdIxf0W
Ck8983LqH5dQJOWa3kdvA2//DRdW0mhaZrOWkECa2NvWiz+FoDkbAm531shpuKvc
8AgVBjDs/bZzJRmOmmbbGaJBzFLc7lzrf5RxKoKzvfgPsNqT/wBqssv74C2b2vjf
LqJuZg0zZ6tvGCzg+J9q/h8w1nUk8Gc52TLaL0Nw+Y+Uu7eEgk2Gt1iiEKh4v6Nv
hEEcPrepF8zYljS/UPX8LKG7TREHazyXB7iIxo14tx02ZZQzvOcp6TuVkr28CxF+
n3VyD/FFyOgwvtQiep7i551PFbGlboOgZ2jFyv0Ad7tgT5BJJQqOrF5pPM/zn9A=
=4V8l
-----END PGP SIGNATURE-----
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/security-announce/advisory%40lss.hr

This email sent to Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.

Idi na vrh