Mac OS X : Apple Safari < 6.0.5 Multiple Vulnerabilities

high Nessus Plugin ID 66810

Synopsis

The remote host contains a web browser that is affected by several vulnerabilities.

Description

The version of Apple Safari installed on the remote Mac OS X 10.7 or 10.8 host is earlier than 6.0.5. It is, therefore, potentially affected by several issues :

- Multiple memory corruption vulnerabilities exist in WebKit that could lead to unexpected program termination or arbitrary code execution. (CVE-2013-0879 / CVE-2013-0991 / CVE-2013-0992 / CVE-2013-0993 / CVE-2013-0994 / CVE-2013-0995 / CVE-2013-0996 / CVE-2013-0997 / CVE-2013-0998 / CVE-2013-0999 / CVE-2013-1000 / CVE-2013-1001 / CVE-2013-1002 / CVE-2013-1003 / CVE-2013-1004 / CVE-2013-1005 / CVE-2013-1006 / CVE-2013-1007 / CVE-2013-1008 / CVE-2013-1009 / CVE-2013-1010 / CVE-2013-1011 / CVE-2013-1023)

- A cross-site scripting issue exists in WebKit's handling of iframes. (CVE-2013-1012)

- A cross-site scripting issue exists in WebKit's handling of copied and pasted data in HTML documents.
(CVE-2013-0926)

- In rewriting URLs to prevent cross-site scripting attacks, XSS Auditor could be abused, leading to malicious alteration of the behavior of a form submission. (CVE-2013-1013)

Solution

Upgrade to Apple Safari 6.0.5 or later.

See Also

http://www.zerodayinitiative.com/advisories/ZDI-13-107/

http://www.zerodayinitiative.com/advisories/ZDI-13-108/

http://www.zerodayinitiative.com/advisories/ZDI-13-109/

http://support.apple.com/kb/HT5785

http://lists.apple.com/archives/security-announce/2013/Jun/msg00001.html

http://www.securityfocus.com/archive/1/526807/30/0/threaded

Plugin Details

Severity: High

ID: 66810

File Name: macosx_Safari6_0_5.nasl

Version: 1.9

Type: local

Agent: macosx

Published: 6/5/2013

Updated: 11/27/2019

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2013-1010

Vulnerability Information

CPE: cpe:/a:apple:safari

Required KB Items: Host/local_checks_enabled, Host/MacOSX/Version, MacOSX/Safari/Installed

Exploit Ease: No known exploits are available

Patch Publication Date: 6/4/2013

Vulnerability Publication Date: 2/21/2013

Reference Information

CVE: CVE-2013-0879, CVE-2013-0926, CVE-2013-0991, CVE-2013-0992, CVE-2013-0993, CVE-2013-0994, CVE-2013-0995, CVE-2013-0996, CVE-2013-0997, CVE-2013-0998, CVE-2013-0999, CVE-2013-1000, CVE-2013-1001, CVE-2013-1002, CVE-2013-1003, CVE-2013-1004, CVE-2013-1005, CVE-2013-1006, CVE-2013-1007, CVE-2013-1008, CVE-2013-1009, CVE-2013-1010, CVE-2013-1011, CVE-2013-1012, CVE-2013-1013, CVE-2013-1023

BID: 58731, 59326, 59944, 59953, 59954, 59955, 59956, 59957, 59958, 59959, 59960, 59963, 59964, 59965, 59967, 59970, 59971, 59972, 59973, 59974, 59976, 59977, 60361, 60362, 60363, 60364

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990

APPLE-SA: APPLE-SA-2013-06-04-2