Apple Safari on Mac OS X, and before 3.1.2 on Windows, does not prompt the user before downloading an object that has an unrecognized content type, which allows remote attackers to place malware into the (1) Desktop directory on Windows or (2) Downloads directory on Mac OS X, and subsequently allows remote attackers to execute arbitrary code on Windows by leveraging an untrusted search path vulnerability in (a) Internet Explorer 7 on Windows XP or (b) the SearchPath function in Windows XP, Vista, and Server 2003 and 2008, aka a "Carpet Bomb" and a "Blended Threat Elevation of Privilege Vulnerability," a different issue than CVE-2008-1032. NOTE: Apple considers this a vulnerability only because the Microsoft products can load application libraries from the desktop and, as of 20080619, has not covered the issue in an advisory for Mac OS X.

A vulnerability in the way the Windows SearchPath function locates and opens files on the remote host could allow an attacker to execute arbitrary remote code if he can trick a user into downloading a specially crafted file into a specific location, such as the Windows Desktop.

The remote host is missing IE Security Update 963027.

The remote version of IE is affected by several vulnerabilities that may allow an attacker to execute arbitrary code on the remote host.

The version of Safari installed on the remote host reportedly is affected by several issues :

  - An out-of-bounds memory read while handling BMP and GIF     images may lead to information disclosure     (CVE-2008-1573).

  - Safari will automatically launch executable files     downloaded from a site if that site is in an IE7 zone     with 'Launching applications and unsafe files' set to     'Enable' or an IE6 'Local intranet ' / ' Trusted sites'     zone (CVE-2008-2306).

  - There is a memory corruption issue in WebKit's     handling of JavaScript arrays that could be leveraged     to crash the application or execute arbitrary code     if visiting a malicious site (CVE-2008-2307).

  - When handling an object with an unrecognized content     type, Safari does not prompt the user before     downloading the object (aka, the 'carpet-bombing'     issue). If the download location is the Windows     Desktop (the default), this could lead to arbitrary     code execution (CVE-2008-2540).

The version of Safari installed on the remote host reportedly is affected by several issues :

  - An out-of-bounds memory read while handling BMP and GIF images may lead to information disclosure (CVE-2008-1573).
  - Safari will automatically launch executable files downloaded from a site if that site is in an IE7 zone with 'Launching applications and unsafe files' set to 'Enable' or an IE6 'Local intranet ' / ' Trusted sites' zone (CVE-2008-2306).
  - There is a memory corruption issue in WebKit's handling of JavaScript arrays that could be leveraged to crash the application or execute arbitrary code if visiting a malicious site (CVE-2008-2307).
  - When handling an object with an unrecognized content type, Safari does not prompt the user before downloading the object (aka, the 'carpet-bombing' issue). If the download location is the Windows Desktop (the default), this could lead to arbitrary code execution (CVE-2008-2540).

The version of Safari installed on the remote host reportedly is affected by several issues :

  - An out-of-bounds memory read while handling BMP and GIF images may lead to information disclosure (CVE-2008-1573).
  - Safari will automatically launch executable files downloaded from a site if that site is in an IE7 zone with 'Launching applications and unsafe files' set to 'Enable' or an IE6 'Local intranet ' / ' Trusted sites' zone (CVE-2008-2306).
  - There is a memory corruption issue in WebKit's handling of JavaScript arrays that could be leveraged to crash the application or execute arbitrary code if visiting a malicious site (CVE-2008-2307).
  - When handling an object with an unrecognized content type, Safari does not prompt the user before downloading the object (aka, the 'carpet-bombing' issue). If the download location is the Windows Desktop (the default), this could lead to arbitrary code execution (CVE-2008-2540).
IAVT Reference : 2009-T-0021
STIG Finding Severity : Category II

ID	Name	Product	Family	Severity
36153	MS09-015: Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426)	Nessus	Windows : Microsoft Bulletins	high
36152	MS09-014: Cumulative Security Update for Internet Explorer (963027)	Nessus	Windows : Microsoft Bulletins	high
33226	Safari < 3.1.2 Multiple Vulnerabilities	Nessus	Windows	high
4556	Safari < 3.1.2 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
800992	Safari < 3.1.2 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high

Detections

Analytics

CVE-2008-2540

medium

Tenable Plugins

high

high

high

medium

high