Safari < 4.1 / 5.0 Multiple Vulnerabilities

high Log Correlation Engine Plugin ID 801012

Synopsis

The remote host contains a web browser that is vulnerable to multiple attack vectors.

Description

Versions of Safari earlier than 4.1 / 5.0 are potentially affected by multiple vulnerabilities :

- A heap buffer overflow exists in the handling of images with an embedded ColorSync profile. (CVE-2009-1726)

- Safari supports the inclusion of user information in URLs, which allows the URL to specify a username and password to authenticate the user to the named server. (CVE-2010-1384)

- A use after free issue exists in Safari's management of windows. (CVE-2010-1750)

- An implementation issue exists in WebKit's handling of URLs in the clipboard. (CVE-2010-1388)

- Dragging or pasting a selection from one site to another may allow scripts contained in the selection to be executed in the context of the new site. (CVE-2010-1389)

- A cononicalization issue exists in WebKit's handling of UTF-7 encoded text. (CVE-2010-1390)

- A path traversal issue exists in WebKit's support for Local Storage and Web SQL database. (CVE-2010-1391)

- A use after free issue exists in WebKit's rendering of HTML buttons. (CVE-2010-1392)

- An information disclosure issue exists in WebKit's handling of Cascading Stylesheets. (CVE-2010-1393)

- A use after free issue exists in WebKit's handling of attribute manipulation. (CVE-2010-1119)

- A design issue exists in WebKit's handling of HTML document fragments. (CVE-2010-1394)

- An implementation issue exists in WebKit's handling of keyboard focus. (CVE-2010-1422)

- A scope management issue exists in WebKit's handling of DOM constructor objects. (CVE-2010-1395)

- A use after free issue exists in WebKit's handling of the removal of container elements. (CVE-2010-1396)

- A use after free issue exists in WebKit's rendering of a selection when the layout changes. (CVE-2010-1397)

- A memory corruption issue exists in WebKit's handling of ordered list insertions. (CVE-2010-1398)

- An uninitialized memory access issue exists in WebKit's handling of selection changes on form input elements. (CVE-2010-1399)

- A use after free issue exists in WebKit's handling of caption elements. (CVE-2010-1400)

- A use after free issue exists in WebKit's handling of the ':first-letter' pseudo-element in cascading stylesheets. (CVE-2010-1401)

- a double free issue exists in WebKit's handling of event listeners in SVG documents. (CVE-2010-1402)

- An uninitialized memory access issue exists in WebKit's handling of 'use' elements in SVG documents. (CVE-2010-1403)

- A use after free issue exists in WebKit's handling of SVG documents with multiple 'use' elements. (CVE-2010-1404)

- A memory corruption issue exists in WebKit's handling of nested 'use' elements in SVG documents. (CVE-2010-1410)

- A use after free issue exists in WebKit's handling of CSS run-ins. (CVE-2010-1749)

- A use after free issue exists in WebKit's handling of HTML elements with custom vertical positioning. (CVE-2010-1405)

- When WebKit is redirected from an HTTPS site to an HTTP site, the Referer header is passed to the HTTP site. (CVE-2010-1406)

- An integer truncation issue exists in WebKit's handling of requests to non-default TCP ports. (CVE-2010-1408)

- Common IRC service ports are not included in WebKit's port blacklist. (CVE-2010-1409)

- A use after free issue exists in WebKit's handling of hover events. (CVE-2010-1412)

- In certain circumstances, WebKit may send NTLM credentials in plain text. (CVE-2010-1413)

- A use after free issue exists in WebKit's handling of the removeChild DOM method. (CVE-2010-1414)

- An API abuse issue exists in WebKit's handling of libxml contexts. (CVE-2010-1415)

- A cross-site image capture issue exists in WebKit. (CVE-2010-1416)

- A memory corruption issue exists in WebKit's rendering of CSS-styled HTML content with multiple :after pseudo-selectors. (CVE-2010-1417)

- An input validation issue exists in WebKit's handling of the src attribute of the frame element (CVE-2010-1418)

- A use after free issue exists in WebKit's handling of drag and drop when the window acting as a source of a drag operation is closed before the drag operation is completed. (CVE-2010-1419)

- A design issue exists in the implementation of the JavaScript function execCommand. (CVE-2010-1421)

- An issue in WebKit's handling of malformed URLs may result in a cross-site scripting attack when visiting a maliciously crafted website. (CVE-2010-0544)

- A use after free issue exists in WebKit's handling of DOM Range objects. (CVE-2010-1758)

- A use after free issue exists in WebKit's handling of the Node.normalize method. (CVE-2010-1759)

- A use after free issue exist sin WebKit's rendering of HTML document subtrees. (CVE-2010-1761)

- A design issue exists in the handling of HTML contained in textarea elements. (CVE-2010-1762)

- A design issue exists in WebKit's handling of HTTP redirects. (CVE-2010-1764)

- A type checking issue exists in WebKit's handling of text nodes. (CVE-2010-1770)

- A use after free issue exists in WebKit's handling of fonts. (CVE-2010-1771)

- An out of bounds memory access issue exists in WebKit's handling of HTML tables. (CVE-2010-1774)

- A design issue exists in WebKit's handling of the CSS :visited pseudo-class.

Solution

Upgrade to Safari 4.1, 5.0, or later.

See Also

lists.apple.com/archives/security-announce/2010/Jun/msg00000.html