Computing Facilities    links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 
Advanced search tips 
 Documentation
 » Introduction to Facilities 
 » Accounts & passwords 
 » AFS 
 » Application software 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Web publishing 
 » Your health 
 » Mac support 
 » Linux support 
 » Windows PC support 

Apple Safari 3.1 Security Upgrade

March 19, 2008

SCS Computing Facilities has received the following announcement from campus Computing Services.

Safari 3.1 is the first full release version for Windows (all previous were betas.) Also, it appears Apple will be issuing Safari updates as separate packages now rather than rolled into their OS updates.

Title:

Apple Safari 3.1 Security Upgrade (Mac & Windows)

CMU Relevance:

Definitely used on campus

Severity:

Critical

Impact:

Remote Code Execution

Information Disclosure

Exploit Code Available:

Unknown

Affected Versions:

  • Apple Safari for Windows versions prior to 3.1
  • Apple Safari for Mac versions prior to 3.1

    Vulnerability Details:

    Multiple vulnerabilities have been identified in Apple Safari, which could be exploited by remote attackers to bypass security restrictions, cause a denial of service, disclose sensitive information, or execute arbitrary code.

    The first issue is caused by an error in the validation of certificates, which could be exploited by an attacker to direct a user to a spoofed web site that incorrectly appears to be trusted.

    The second vulnerability is caused by an error when handling 502 Bad Gateway errors sent by an HTTPS proxy server, which could allow a malicious proxy to spoof secure websites.

    The third issue is caused by an input validation error in the Safari's error page when handling malformed URLs, which could be exploited to conduct cross site scripting attacks and disclose sensitive information.

    The fourth vulnerability is caused by an input validation error when processing "javascript:" URLs, which could be exploited to conduct cross site scripting attacks in the context of arbitrary web sites.

    The fifth issue is caused by an error when handling web pages that have explicitly set the "document.domain" property, which could lead to a cross-site scripting attack in sites that set the "document.domain" property, or between HTTP and HTTPS sites with the same "document.domain".

    The sixth vulnerability is caused by an error in Web Inspector, which could allow a page being inspected to escalate its privileges by injecting script that will run in other domains and read the user's file system.

    The seventh vulnerability is caused by an error when using the Kotoeri input method, which could result in exposing a password field content on the display when reverse conversion is requested.

    The eighth issue is caused by an error when handling "window.open()" functions, which could be exploited to conduct cross site scripting attacks.

    The ninth vulnerability is caused by a design error where frame navigation policy is not enforced for Java applets, which could be exploited to conduct cross site scripting attacks via a specially crafted Java applet.

    The tenth issue is caused by an error when handling the "document.domain" property, which could be exploited to conduct cross site scripting attacks and disclose sensitive information.

    The eleventh vulnerability is caused by an error when handling the "history" object, which could be exploited to conduct cross site scripting attacks and inject JavaScript in the context of arbitrary frames.

    The twelfth issue is caused by a buffer overflow error in WebKit when handling malformed JavaScript regular expressions, which could be exploited by malicious web sites to crash an affected browser or execute arbitrary code.

    The thirteenth vulnerability is caused by an error in WebKit that allows method instances from one frame to be called in the context of another frame, which could be exploited to conduct cross site scripting attacks and disclose sensitive information.

    FrSIRThttp://www.frsirt.com/english/advisories/2008/0920

    Applehttp://docs.info.apple.com/article.html?artnum=307563

    Suggested Mitigation Steps:

    * Upgrade to Safari 3.1

    Windows:

    Use Apple Software Update or apply manually.

    Apple Software Update

    Start->All Programs->Apple Software Update.

    Manualhttp://www.apple.com/safari/

    Mac:

    Use Software Update or apply manually.

    Software Update

    Apple Menu->Software Update

    Manualhttp://www.apple.com/safari/

    Ted Pham
    Information Security Office
    Carnegie Mellon University
    
    ---------------------------------------------
    Departmental Computing Group Mailing List
    dept-computing-group@lists.andrew.cmu.edu
    http://www.cmu.edu/computing/dept-computing
    ---------------------------------------------
    

    Please contact help+@cs.cmu.edu or call the SCS Help Desk (x8-4231) if you have questions or problems with applying these patches.

    Thank you for your attention,

    SCS Help Desk