Detections
Analytics

Safari < 6.2.2 / 7.1.2 / 8.0.2 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 8590

Synopsis

The remote host contains a web browser that is affected by multiple security vulnerabilities.

Description

The version of Safari installed on the remote Mac OS X host is a version prior to 6.2.2 / 7.1.2 / 8.0.2. It is, therefore, affected by the following vulnerabilities in WebKit :

 - A UI spoofing flaw exists in the handling of scrollbar boundaries. Visiting websites that frame malicious content can allow the UI to be spoofed. (CVE-2014-1748)
 - An SVG loaded in an IMG element could load a CSS file cross-origin. This can allow data exfiltration. (CVE-2014-4465)

 - Multiple memory corruption errors exist in WebKit that could potentially be leveraged for arbitrary code execution. (CVE-2014-4452, CVE-2014-4459, CVE-2014-4466, CVE-2014-4468, CVE-2014-4469, CVE-2014-4470, CVE-2014-4471, CVE-2014-4472, CVE-2014-4473, CVE-2014-4474, CVE-2014-4475)

Note that the 6.2.2 / 7.1.2 / 8.0.2 Safari updates include the security content of the 6.2.1 / 7.1.1 / 8.0.1 updates. These more recent updates, however, were released to fix potential issues with the installation of the previous patch release.

Solution

Upgrade to Safari 8.0.2 or later. If version 8.0.x is not available, versions 7.1.2 and 6.2.2 are also patched for these issues.

See Also

http://support.apple.com/kb/HT6597

http://support.apple.com/en-us/HT1222

http://www.securityfocus.com/archive/1/534148

Plugin Details

Severity: Medium

ID: 8590

Family: Web Clients

Published: 1/27/2015

Updated: 3/6/2019

Nessus ID: 80055

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: Medium

Base Score: 5.6

Temporal Score: 5.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apple:safari

Patch Publication Date: 12/11/2014

Vulnerability Publication Date: 4/2/2014

Reference Information

CVE: CVE-2014-1748, CVE-2014-4465, CVE-2014-4466, CVE-2014-4468, CVE-2014-4469, CVE-2014-4470, CVE-2014-4471, CVE-2014-4472, CVE-2014-4473, CVE-2014-4474, CVE-2014-4475

BID: 71438, 71439, 71442, 71444, 71445, 71449, 71451, 71459, 71461, 71462, 71464