Sign-up

ID

VAR-201009-0263


CVE

CVE-2010-1806


TITLE

Apple Safari Vulnerable to arbitrary code execution

Trust: 0.8

sources: JVNDB: JVNDB-2010-002057

DESCRIPTION

Use-after-free vulnerability in Apple Safari 4.x before 4.1.2 and 5.x before 5.0.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via run-in styling in an element, related to object pointers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the library's support of an element containing the run-in property. When a block box is appended as the sibling of a run-in box, the run-in box will be promoted to the first inline box. This implies that the first inline box will be destroyed. Later when the application attempts to destroy this element, it will access memory that has been freed. If an attacker can substitute an alternate type in the element's place, the attacker will have code execution under the context of the application. WebKit is prone to a remote code-execution vulnerability. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content. This issue has been addressed in Apple Safari 5.0.2 and Safari 4.1.2. Safari is the web browser bundled by default in the Apple family machine operating system. A use-after-free vulnerability exists in Apple Safari 4.x versions prior to 4.1.2 and 5.x versions prior to 5.0.2. This vulnerability is related to object pointers. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4333 -- Disclosure Timeline: 2010-06-17 - Vulnerability reported to vendor 2010-09-13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * wushi of team509 -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi . ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Apple iOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA42314 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42314/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42314 RELEASE DATE: 2010-11-24 DISCUSS ADVISORY: http://secunia.com/advisories/42314/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42314/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42314 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Apple iOS, which can be exploited by malicious people to conduct cross-site scripting and spoofing attacks, disclose sensitive information, bypass certain security restrictions, or to compromise a user's system. For more information: SA40257 SA41328 SA42151 SA42312 SOLUTION: Upgrade to iOS 4.2 (downloadable and installable via iTunes). ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4456 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.79

sources: NVD: CVE-2010-1806 // JVNDB: JVNDB-2010-002057 // ZDI: ZDI-10-170 // BID: 43049 // VULHUB: VHN-44411 // PACKETSTORM: 93802 // PACKETSTORM: 96086

AFFECTED PRODUCTS

vendor:applemodel:safariscope:eqversion:4.0.5

Trust: 1.9

vendor:applemodel:safariscope:eqversion:4.0.4

Trust: 1.9

vendor:applemodel:safariscope:eqversion:4.0.3

Trust: 1.9

vendor:applemodel:safariscope:eqversion:4.0.2

Trust: 1.9

vendor:applemodel:safariscope:eqversion:4.0.1

Trust: 1.9

vendor:applemodel:safariscope:eqversion:5.0.1

Trust: 1.9

vendor:applemodel:safariscope:eqversion:5.0

Trust: 1.9

vendor:applemodel:safariscope:eqversion:4.1

Trust: 1.9

vendor:applemodel:safariscope:eqversion:4.0.0b

Trust: 1.6

vendor:applemodel:safariscope:eqversion:4.0

Trust: 1.6

vendor:applemodel:safariscope:eqversion:4

Trust: 1.1

vendor:applemodel:mac os xscope:eqversion:v10.4.11

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:v10.5.8

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.4.11

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.5.8

Trust: 0.8

vendor:applemodel:iosscope:eqversion:2.0 to 4.1 (iphone 3g after )

Trust: 0.8

vendor:applemodel:iosscope:eqversion:2.1 to 4.1 (ipod touch (2nd generation) after )

Trust: 0.8

vendor:applemodel:iosscope:eqversion:3.2 to 3.2.2 (ipad for )

Trust: 0.8

vendor:applemodel:ipadscope: - version: -

Trust: 0.8

vendor:applemodel:iphonescope: - version: -

Trust: 0.8

vendor:applemodel:ipod touchscope: - version: -

Trust: 0.8

vendor:applemodel:safariscope:eqversion:5

Trust: 0.8

vendor:applemodel:webkitscope: - version: -

Trust: 0.7

vendor:webkitmodel:open source project webkitscope:eqversion:0

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:4.0.5

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:4.0.4

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:4.0.3

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:4.0.2

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:5.0.1

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:5.0

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.1.1

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:4

Trust: 0.3

vendor:applemodel:ipod touchscope:eqversion:3.1.3

Trust: 0.3

vendor:applemodel:ipod touchscope:eqversion:3.1.2

Trust: 0.3

vendor:applemodel:ipod touchscope:eqversion:3.1.1

Trust: 0.3

vendor:applemodel:ipod touchscope:eqversion:2.2.1

Trust: 0.3

vendor:applemodel:ipod touchscope:eqversion:3.0

Trust: 0.3

vendor:applemodel:ipod touchscope:eqversion:2.2

Trust: 0.3

vendor:applemodel:ipod touchscope:eqversion:2.1

Trust: 0.3

vendor:applemodel:iphonescope:eqversion:4.0.1

Trust: 0.3

vendor:applemodel:iphonescope:eqversion:3.2.1

Trust: 0.3

vendor:applemodel:iphonescope:eqversion:3.1.3

Trust: 0.3

vendor:applemodel:iphonescope:eqversion:3.1.2

Trust: 0.3

vendor:applemodel:iphonescope:eqversion:3.0.1

Trust: 0.3

vendor:applemodel:iphonescope:eqversion:2.2.1

Trust: 0.3

vendor:applemodel:iphonescope:eqversion:2.0.2

Trust: 0.3

vendor:applemodel:iphonescope:eqversion:2.0.1

Trust: 0.3

vendor:applemodel:iphonescope:eqversion:4.1

Trust: 0.3

vendor:applemodel:iphonescope:eqversion:4.0

Trust: 0.3

vendor:applemodel:iphonescope:eqversion:3.2

Trust: 0.3

vendor:applemodel:iphonescope:eqversion:3.1

Trust: 0.3

vendor:applemodel:iphonescope:eqversion:3.0

Trust: 0.3

vendor:applemodel:iphonescope:eqversion:2.2

Trust: 0.3

vendor:applemodel:iphonescope:eqversion:2.1

Trust: 0.3

vendor:applemodel:iphonescope:eqversion:2.0

Trust: 0.3

vendor:applemodel:ipadscope:eqversion:3.2.1

Trust: 0.3

vendor:applemodel:ipadscope:eqversion:3.2.2

Trust: 0.3

vendor:applemodel:ipadscope:eqversion:3.2

Trust: 0.3

vendor:applemodel:ipadscope:eqversion:0

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.0.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.0.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.2.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.2.1

Trust: 0.3

vendor:applemodel:ios betascope:eqversion:4.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:4

Trust: 0.3

vendor:applemodel:iosscope:eqversion:3.2

Trust: 0.3

vendor:applemodel:safari for windowsscope:neversion:4.1.2

Trust: 0.3

vendor:applemodel:safari for windowsscope:neversion:5.0.2

Trust: 0.3

vendor:applemodel:safariscope:neversion:5.0.2

Trust: 0.3

vendor:applemodel:safariscope:neversion:4.1.2

Trust: 0.3

vendor:applemodel:iosscope:neversion:4.2

Trust: 0.3

sources: ZDI: ZDI-10-170 // BID: 43049 // JVNDB: JVNDB-2010-002057 // CNNVD: CNNVD-201009-088 // NVD: CVE-2010-1806

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2010-1806
value: HIGH

Trust: 1.0

NVD: CVE-2010-1806
value: HIGH

Trust: 0.8

ZDI: CVE-2010-1806
value: HIGH

Trust: 0.7

CNNVD: CNNVD-201009-088
value: CRITICAL

Trust: 0.6

VULHUB: VHN-44411
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2010-1806
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

ZDI: CVE-2010-1806
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 8.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

VULHUB: VHN-44411
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: ZDI: ZDI-10-170 // VULHUB: VHN-44411 // JVNDB: JVNDB-2010-002057 // CNNVD: CNNVD-201009-088 // NVD: CVE-2010-1806

PROBLEMTYPE DATA

problemtype:CWE-399

Trust: 1.9

sources: VULHUB: VHN-44411 // JVNDB: JVNDB-2010-002057 // NVD: CVE-2010-1806

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 93802 // CNNVD: CNNVD-201009-088

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201009-088

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2010-002057

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-44411

PATCH
title:HT4333url:http://support.apple.com/kb/HT4333
Trust: 0.8
title:HT4456url:http://support.apple.com/kb/HT4456
Trust: 0.8
title: - url:http://support.apple.com/kb/HT4333http://support.apple.com/kb/HT4456
Trust: 0.7
sources:
            
            
            ZDI: ZDI-10-170 // 
            
            
            
            JVNDB: JVNDB-2010-002057

EXTERNAL IDS
db:NVDid:CVE-2010-1806
Trust: 3.6
db:BIDid:43049
Trust: 2.8
db:SECUNIAid:42314
Trust: 1.2
db:ZDIid:ZDI-10-170
Trust: 1.1
db:VUPENid:ADV-2010-3046
Trust: 1.1
db:JVNDBid:JVNDB-2010-002057
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-806
Trust: 0.7
db:CNNVDid:CNNVD-201009-088
Trust: 0.7
db:APPLEid:APPLE-SA-2010-09-07-1
Trust: 0.6
db:NSFOCUSid:15732
Trust: 0.6
db:PACKETSTORMid:93802
Trust: 0.2
db:VULHUBid:VHN-44411
Trust: 0.1
db:PACKETSTORMid:96086
Trust: 0.1
sources:
            
            
            ZDI: ZDI-10-170 // 
            
            
            
            VULHUB: VHN-44411 // 
            
            
            
            BID: 43049 // 
            
            
            
            JVNDB: JVNDB-2010-002057 // 
            
            
            
            PACKETSTORM: 93802 // 
            
            
            
            PACKETSTORM: 96086 // 
            
            
            
            CNNVD: CNNVD-201009-088 // 
            
            
            
            NVD: CVE-2010-1806

REFERENCES
url:http://www.securityfocus.com/bid/43049
Trust: 2.5
url:http://support.apple.com/kb/ht4333
Trust: 1.8
url:http://lists.apple.com/archives/security-announce/2010//sep/msg00001.html
Trust: 1.7
url:http://support.apple.com/kb/ht4456
Trust: 1.2
url:http://lists.apple.com/archives/security-announce/2010//nov/msg00003.html
Trust: 1.1
url:https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a11729
Trust: 1.1
url:http://secunia.com/advisories/42314
Trust: 1.1
url:http://www.vupen.com/english/advisories/2010/3046
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-1806
Trust: 0.8
url:http://jvn.jp/cert/jvnvu954431
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-1806
Trust: 0.8
url:http://support.apple.com/kb/ht4333http://support.apple.com/kb/ht4456
Trust: 0.7
url:http://www.nsfocus.net/vulndb/15732
Trust: 0.6
url:http://www.webkit.org/
Trust: 0.3
url:http://www.zerodayinitiative.com/advisories/zdi-10-170/
Trust: 0.3
url:http://www.zerodayinitiative.com/advisories/disclosure_policy/
Trust: 0.1
url:http://twitter.com/thezdi
Trust: 0.1
url:http://www.zerodayinitiative.com/advisories/zdi-10-170
Trust: 0.1
url:http://www.tippingpoint.com
Trust: 0.1
url:http://www.zerodayinitiative.com
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2010-1806
Trust: 0.1
url:http://secunia.com/products/corporate/evm/
Trust: 0.1
url:http://secunia.com/advisories/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
Trust: 0.1
url:http://secunia.com/advisories/42314/
Trust: 0.1
url:http://secunia.com/products/corporate/vim/
Trust: 0.1
url:http://secunia.com/vulnerability_scanning/personal/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/advisories/42314/#comments
Trust: 0.1
url:https://ca.secunia.com/?page=viewadvisory&vuln_id=42314
Trust: 0.1
url:http://secunia.com/advisories/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            ZDI: ZDI-10-170 // 
            
            
            
            VULHUB: VHN-44411 // 
            
            
            
            BID: 43049 // 
            
            
            
            JVNDB: JVNDB-2010-002057 // 
            
            
            
            PACKETSTORM: 93802 // 
            
            
            
            PACKETSTORM: 96086 // 
            
            
            
            CNNVD: CNNVD-201009-088 // 
            
            
            
            NVD: CVE-2010-1806

CREDITS
wushi of team509
Trust: 0.7
sources:
            
            
            ZDI: ZDI-10-170

SOURCES
db:ZDIid:ZDI-10-170
db:VULHUBid:VHN-44411
db:BIDid:43049
db:JVNDBid:JVNDB-2010-002057
db:PACKETSTORMid:93802
db:PACKETSTORMid:96086
db:CNNVDid:CNNVD-201009-088
db:NVDid:CVE-2010-1806

LAST UPDATE DATE
2024-11-23T20:13:12.634000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-10-170date:2010-09-13T00:00:00
db:VULHUBid:VHN-44411date:2017-09-19T00:00:00
db:BIDid:43049date:2010-11-22T18:16:00
db:JVNDBid:JVNDB-2010-002057date:2010-12-10T00:00:00
db:CNNVDid:CNNVD-201009-088date:2010-09-14T00:00:00
db:NVDid:CVE-2010-1806date:2024-11-21T01:15:14.080

SOURCES RELEASE DATE
db:ZDIid:ZDI-10-170date:2010-09-13T00:00:00
db:VULHUBid:VHN-44411date:2010-09-10T00:00:00
db:BIDid:43049date:2010-09-07T00:00:00
db:JVNDBid:JVNDB-2010-002057date:2010-09-28T00:00:00
db:PACKETSTORMid:93802date:2010-09-14T01:05:55
db:PACKETSTORMid:96086date:2010-11-24T11:53:31
db:CNNVDid:CNNVD-201009-088date:2010-09-14T00:00:00
db:NVDid:CVE-2010-1806date:2010-09-10T19:00:02.003