ID

VAR-201107-0100


CVE

CVE-2011-0223


TITLE

Apple Safari Used in WebKit Vulnerable to arbitrary code execution

Trust: 0.8

sources: JVNDB: JVNDB-2011-002047

DESCRIPTION

WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. WebKit is prone to a heap-based memory-corruption vulnerability. Attackers can exploit this issue by enticing an unsuspecting user to visit a malicious webpage. Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. NOTE: This issue was previously discussed in BID 48808 (Apple Safari Prior to 5.1 and 5.0.6 Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2011-07-20-1 Safari 5.1 and Safari 5.0.6 Safari 5.1 and Safari 5.0.6 are now available and address the following: CFNetwork Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: In certain situations, Safari may treat a file as HTML, even if it is served with the 'text/plain' content type. This may lead to a cross-site scripting attack on sites that allow untrusted users to post text files. This issue is addressed through improved handling of 'text/plain' content. CVE-ID CVE-2010-1420 : Hidetake Jo working with Microsoft Vulnerability Research (MSVR), Neal Poole of Matasano Security CFNetwork Available for: Windows 7, Vista, XP SP2 or later Impact: Authenticating to a maliciously crafted website may lead to arbitrary code execution Description: The NTLM authentication protocol is susceptible to a replay attack referred to as credential reflection. Authenticating to a maliciously crafted website may lead to arbitrary code execution. To mitigate this issue, Safari has been updated to utilize protection mechanisms recently added to Windows. This issue does not affect Mac OS X systems. CVE-ID CVE-2010-1383 : Takehiro Takahashi of IBM X-Force Research CFNetwork Available for: Windows 7, Vista, XP SP2 or later Impact: A root certificate that is disabled may still be trusted Description: CFNetwork did not properly validate that a certificate was trusted for use by a SSL server. As a result, if the user had marked a system root certificate as not trusted, Safari would still accept certificates signed by that root. This issue is addressed through improved certificate validation. This issue does not affect Mac OS X systems. CVE-ID CVE-2011-0214 : An anonymous reporter ColorSync Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of images with an embedded ColorSync profile, which may lead to a heap buffer overflow. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2011-004. CVE-ID CVE-2011-0200 : binaryproof working with TippingPoint's Zero Day Initiative CoreFoundation Available for: Windows 7, Vista, XP SP2 or later Impact: Applications that use the CoreFoundation framework may be vulnerable to an unexpected application termination or arbitrary code execution Description: An off-by-one buffer overflow issue existed in the handling of CFStrings. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. CVE-ID CVE-2011-0201 : Harry Sintonen CoreGraphics Available for: Windows 7, Vista, XP SP2 or later Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow issue existed in the handling of Type 1 fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2011-004. CVE-ID CVE-2011-0202 : Cristian Draghici of Modulo Consulting, Felix Grobert of the Google Security Team International Components for Unicode Available for: Windows 7, Vista, XP SP2 or later Impact: Applications that use ICU may be vulnerable to an unexpected application termination or arbitrary code execution Description: A buffer overflow issue existed in ICU's handling of uppercase strings. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. CVE-ID CVE-2011-0206 : David Bienvenu of Mozilla ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2011-004. CVE-ID CVE-2011-0204 : Dominic Chell of NGS Secure ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in ImageIO's handling of CCITT Group 4 encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A reentrancy issue existed in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X systems. CVE-ID CVE-2011-0215 : Juan Pablo Lopez Yacubian working with iDefense VCP ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2011-004. CVE-ID CVE-2011-0204 : Dominic Chell of NGS Secure libxslt Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to the disclosure of addresses on the heap Description: libxslt's implementation of the generate-id() XPath function disclosed the address of a heap buffer. Visiting a maliciously crafted website may lead to the disclosure of addresses on the heap. This issue is addressed by generating an ID based on the difference between the addresses of two heap buffers. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2011-004. CVE-ID CVE-2011-0195 : Chris Evans of the Google Chrome Security Team libxml Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A one-byte heap buffer overflow existed in libxml's handling of XML data. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0216 : Billy Rios of the Google Security Team Safari Available for: Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: If the "AutoFill web forms" feature is enabled, visiting a maliciously crafted website and typing may lead to the disclosure of information from the user's Address Book Description: Safari's "AutoFill web forms" feature filled in non- visible form fields, and the information was accessible by scripts on the site before the user submitted the form. This issue is addressed by displaying all fields that will be filled, and requiring the user's consent before AutoFill information is available to the form. CVE-ID CVE-2011-0217 : Florian Rienhardt of BSI, Alex Lambert, [Jeremiah Grossman] Safari Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: With a certain Java configuration, visiting a malicious website may lead to unexpected text being displayed on other sites Description: A cross origin issue existed in the handling of Java Applets. This applies when Java is enabled in Safari, and Java is configured to run within the browser process. Fonts loaded by a Java applet could affect the display of text content from other sites. This issue is addressed by running Java applets in a separate process. CVE-ID CVE-2011-0219 : Joshua Smith of Kaon Interactive WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2010-1823 : David Weston of Microsoft and Microsoft Vulnerability Research (MSVR), wushi of team509, and Yong Li of Research In Motion Ltd CVE-2011-0164 : Apple CVE-2011-0218 : SkyLined of Google Chrome Security Team CVE-2011-0221 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0222 : Nikita Tarakanov and Alex Bazhanyuk of the CISS Research Team, and Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0223 : Jose A. Vazquez of spa-s3c.blogspot.com working with iDefense VCP CVE-2011-0225 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0232 : J23 working with TippingPoint's Zero Day Initiative CVE-2011-0233 : wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2011-0234 : Rob King working with TippingPoint's Zero Day Initiative, wushi of team509 working with TippingPoint's Zero Day Initiative, wushi of team509 working with iDefense VCP CVE-2011-0235 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0237 : wushi of team509 working with iDefense VCP CVE-2011-0238 : Adam Barth of Google Chrome Security Team CVE-2011-0240 : wushi of team509 working with iDefense VCP CVE-2011-0253 : Richard Keen CVE-2011-0254 : An anonymous researcher working with TippingPoint's Zero Day Initiative CVE-2011-0255 : An anonymous researcher working with TippingPoint's Zero Day Initiative CVE-2011-0981 : Rik Cabanier of Adobe Systems, Inc CVE-2011-0983 : Martin Barbella CVE-2011-1109 : Sergey Glazunov CVE-2011-1114 : Martin Barbella CVE-2011-1115 : Martin Barbella CVE-2011-1117 : wushi of team509 CVE-2011-1121 : miaubiz CVE-2011-1188 : Martin Barbella CVE-2011-1203 : Sergey Glazunov CVE-2011-1204 : Sergey Glazunov CVE-2011-1288 : Andreas Kling of Nokia CVE-2011-1293 : Sergey Glazunov CVE-2011-1296 : Sergey Glazunov CVE-2011-1449 : Marek Majkowski, wushi of team 509 working with iDefense VCP CVE-2011-1451 : Sergey Glazunov CVE-2011-1453 : wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2011-1457 : John Knottenbelt of Google CVE-2011-1462 : wushi of team509 CVE-2011-1797 : wushi of team509 WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A configuration issue existed in WebKit's use of libxslt. Visiting a maliciously crafted website may lead to arbitrary files being created with the privileges of the user, which may lead to arbitrary code execution. This issue is addressed through improved libxslt security settings. CVE-ID CVE-2011-1774 : Nicolas Gregoire of Agarri WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an information disclosure Description: A cross-origin issue existed in the handling of Web Workers. Visiting a maliciously crafted website may lead to an information disclosure. CVE-ID CVE-2011-1190 : Daniel Divricean of divricean.ro WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-origin issue existed in the handling of URLs with an embedded username. Visiting a maliciously crafted website may lead to a cross-site scripting attack. This issue is addressed through improved handling of URLs with an embedded username. CVE-ID CVE-2011-0242 : Jobert Abma of Online24 WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-origin issue existed in the handling of DOM nodes. Visiting a maliciously crafted website may lead to a cross- site scripting attack. CVE-ID CVE-2011-1295 : Sergey Glazunov WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: A maliciously crafted website may be able to cause a different URL to be shown in the address bar Description: A URL spoofing issue existed in the handling of the DOM history object. A maliciously crafted website may have been able to cause a different URL to be shown in the address bar. CVE-ID CVE-2011-1107 : Jordi Chancel WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Subscribing to a maliciously crafted RSS feed and clicking on a link within it may lead to an information disclosure Description: A canonicalization issue existed in the handling of URLs. Subscribing to a maliciously crafted RSS feed and clicking on a link within it may lead to arbitrary files being sent from the user's system to a remote server. This update addresses the issue through improved handling of URLs. CVE-ID CVE-2011-0244 : Jason Hullinger WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Applications that use WebKit, such as mail clients, may connect to an arbitrary DNS server upon processing HTML content Description: DNS prefetching was enabled by default in WebKit. Applications that use WebKit, such a s mail clients, may connect to an arbitrary DNS server upon processing HTML content. This update addresses the issue by requiring applications to opt in to DNS prefetching. CVE-ID CVE-2010-3829 : Mike Cardwell of Cardwell IT Ltd. Note: Safari 5.1 is included with OS X Lion. Safari 5.1 and Safari 5.0.6 address the same set of security issues. Safari 5.1 is provided for Mac OS X v10.6, and Windows systems. Safari 5.0.6 is provided for Mac OS X v10.5 systems. Safari 5.1 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/ Safari 5.0.6 is available via the Apple Software Update application, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Safari for Mac OS X v10.6.8 and later The download file is named: Safari5.1SnowLeopard.dmg Its SHA-1 digest is: 2c3cef8e06c5aa586379b1a5fd5cf7b54e8acc24 Safari for Mac OS X v10.5.8 The download file is named: Safari5.0.6Leopard.dmg Its SHA-1 digest is: ea970375d2116a7b74094a2a7669bebc306b6e6f Safari for Windows 7, Vista or XP The download file is named: SafariSetup.exe Its SHA-1 digest is: d00b791c694b1ecfc22d6a1ec9aa21cc14fd8e36 Safari for Windows 7, Vista or XP from the Microsoft Choice Screen The download file is named: Safari_Setup.exe Its SHA-1 digest is: ccb3bb6b06468a430171d9f62708a1a6d917f45b Safari+QuickTime for Windows 7, Vista or XP The file is named: SafariQuickTimeSetup.exe Its SHA-1 digest is: 1273e0ee742a294d65e4f25a9b3e36f79fb517c9 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) iQEcBAEBAgAGBQJOJI45AAoJEGnF2JsdZQeezHQIALKZms5tzYgYxUSdxmo+DmYw up9gAmEVcltZvCeVS1lUxfjqnRiGRSWyuou8Ynt9PfGQCz9GfLvzlrCHc5rsnKaD MeYY1IH7lQc6aqmV0hwb4nUL5qJntP6G5Ai0E/0UiRQNC/ummS+qnmdsiFo78ODY nKaB5cAWhqGHgOAPnUG0JwmxpYgR2HEtGYJSqlYykMwt1vnlAr5hHVNaUJcJ3Hlb vesN6fB7zQMiJVo8+iJBixCvIYlbII5HnVAmD1ToyKgENg4Iguo46YBMVr8DPgF/ KD2s0+VF/O4utYVX0GiRGReVyq1PMvz/HI23ym8U3LjbezXD/AALQET0Q2hUEYQ= =fOfF -----END PGP SIGNATURE----- . iDefense Security Advisory 07.20.11 http://labs.idefense.com/intelligence/vulnerabilities/ Jul 20, 2011 I. BACKGROUND WebKit is an open source web browser engine. It is currently used by Apple Inc.'s Safari browser, as well as by Google's Chrome browser. For more information, see the vendor's site at the following link. http://webkit.org/ II. The vulnerability occurs when parsing a frameset element with a malicious style attribute. Specifically, by setting the padding property to certain values it is possible to trigger a heap based memory corruption vulnerability. III. An attacker typically accomplishes this via social engineering or injecting content into compromised, trusted sites. After the user visits the malicious web page, no further user interaction is needed. IV. DETECTION Safari versions prior to 5.1 and 5.0.6 are vulnerable. V. WORKAROUND iDefense is currently unaware of an effective workaround for this vulnerability as it occurs in the core parsing code. However, disabling scripting will make the vulnerability more difficult to exploit using known techniques. VI. VENDOR RESPONSE Apple Inc. For more information, consult their advisory at the following URL: http://support.apple.com/kb/HT4808 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2011-0223 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/25/2011 Initial Vendor Notification 02/25/2011 Initial Vendor Reply 07/20/2011 Coordinated Public Disclosure IX. CREDIT This vulnerability was reported to iDefense by Jose A. Vazquez of {http://spa-s3c.blogspot.com}. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2011 Verisign Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ---------------------------------------------------------------------- The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way. Read more and request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Apple Safari Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45325 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45325/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45325 RELEASE DATE: 2011-07-22 DISCUSS ADVISORY: http://secunia.com/advisories/45325/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45325/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45325 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness and multiple vulnerabilities have been reported in Apple Safari, which can be exploited by malicious people to disclose sensitive information, manipulate certain data, conduct cross-site scripting and spoofing attacks, bypass certain security restrictions, and compromise a user's system. 1) An error within CFNetwork when handling the "text/plain" content type can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 3) An error exists within CFNetwork when handling SSL certificates, which does not properly verify disabled root certificates. 4) An integer overflow error exists within the ColorSync component. For more information see vulnerability #5 in: SA45054 5) An off-by-one error exists within the CoreFoundation framework. For more information see vulnerability #6 in: SA45054 6) An integer overflow error exists in CoreGraphics. For more information see vulnerability #7 in: SA45054 7) An error exists within ICU (International Components for Unicode). For more information see vulnerability #11 in: SA45054 8) An error exists in ImageIO within the handling of TIFF files when handling certain uppercase strings. For more information see vulnerability #9 in: SA45054 9) An error in ImageIO within the handling of CCITT Group 4 encoded TIFF image files can be exploited to cause a heap-based buffer overflow. 10) A use-after-free error within WebKit when handling TIFF images can result in an invalid pointer being dereferenced when a user views a specially crafted web page. 11) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 12) An off-by-one error within libxml when handling certain XML data can be exploited to cause a heap-based buffer overflow. 13) An error in the "AutoFill web forms" feature can be exploited to disclose certain information from the user's Address Book by tricking a user into visiting a specially crafted web page. 15) Multiple unspecified errors in the WebKit component can be exploited to corrupt memory. 16) An error within WebKit when handling libxslt configurations can be exploited to create arbitrary files. 18) A cross-origin error when handling certain URLs containing a username can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. 19) A cross-origin error when handling DOM nodes can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. 20) An error within the handling of DOM history objects can be exploited to display arbitrary content while showing the URL of a trusted web site in the address bar. 22) A weakness in WebKit can lead to remote DNS prefetching For more information see vulnerability #6 in: SA42312 23) A use-after-free error within WebKit when processing MathML markup tags can result in an invalid pointer being dereferenced when a user views a specially crafted web page. 25) A use-after-free error within WebKit when handling XHTML tags can result in an invalid tag pointer being dereferenced when a user views a specially crafted web page. 26) A use-after-free error within WebKit when handling SVG tags can result in an invalid pointer being dereferenced when a user views a specially crafted web page. SOLUTION: Update to version 5.1 or 5.0.6. PROVIDED AND/OR DISCOVERED BY: 10) Juan Pablo Lopez Yacubian via iDefense 4) binaryproof via ZDI 8) Dominic Chell, NGS Secure 23, 25, 26) wushi, team509 via iDefense 24) Jose A. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

Trust: 2.34

sources: NVD: CVE-2011-0223 // JVNDB: JVNDB-2011-002047 // BID: 48820 // VULHUB: VHN-48168 // PACKETSTORM: 103216 // PACKETSTORM: 103240 // PACKETSTORM: 105708 // PACKETSTORM: 103250

AFFECTED PRODUCTS

vendor:applemodel:safariscope:eqversion:1.2.2

Trust: 1.6

vendor:applemodel:safariscope:eqversion:1.2.0

Trust: 1.6

vendor:applemodel:safariscope:eqversion:2.0.2

Trust: 1.6

vendor:applemodel:safariscope:eqversion:1.3.1

Trust: 1.6

vendor:applemodel:safariscope:eqversion:1.2.4

Trust: 1.6

vendor:applemodel:safariscope:eqversion:2.0.1

Trust: 1.6

vendor:applemodel:safariscope:eqversion:1.3.0

Trust: 1.6

vendor:applemodel:safariscope:eqversion:1.2.3

Trust: 1.6

vendor:applemodel:safariscope:eqversion:2.0.3

Trust: 1.6

vendor:applemodel:safariscope:eqversion:5.0.4

Trust: 1.3

vendor:applemodel:safariscope:eqversion:5.0.3

Trust: 1.3

vendor:applemodel:safariscope:eqversion:5.0.2

Trust: 1.3

vendor:applemodel:safariscope:eqversion:5.0.1

Trust: 1.3

vendor:applemodel:safariscope:eqversion:5.0

Trust: 1.3

vendor:applemodel:safariscope:eqversion:4.1

Trust: 1.3

vendor:applemodel:safariscope:eqversion:3.0.1b

Trust: 1.0

vendor:applemodel:safariscope:eqversion:3.0.1

Trust: 1.0

vendor:applemodel:safariscope:eqversion:3.0

Trust: 1.0

vendor:applemodel:safariscope:eqversion:1.0.0b1

Trust: 1.0

vendor:applemodel:safariscope:eqversion:1.3.2

Trust: 1.0

vendor:applemodel:safariscope:eqversion:2.0.4

Trust: 1.0

vendor:applemodel:safariscope:eqversion:3.1.0

Trust: 1.0

vendor:applemodel:safariscope:eqversion:1.1.1

Trust: 1.0

vendor:applemodel:safariscope:eqversion:3

Trust: 1.0

vendor:applemodel:safariscope:eqversion:3.0.3b

Trust: 1.0

vendor:applemodel:safariscope:eqversion:3.0.0b

Trust: 1.0

vendor:applemodel:safariscope:eqversion:3.1.2

Trust: 1.0

vendor:applemodel:safariscope:eqversion:2

Trust: 1.0

vendor:applemodel:safariscope:eqversion:1.1.0

Trust: 1.0

vendor:applemodel:webkitscope:eqversion:*

Trust: 1.0

vendor:applemodel:safariscope:eqversion:1.1

Trust: 1.0

vendor:applemodel:safariscope:eqversion:2.0.0

Trust: 1.0

vendor:applemodel:safariscope:eqversion:3.2.1

Trust: 1.0

vendor:applemodel:safariscope:eqversion:4.1.2

Trust: 1.0

vendor:applemodel:safariscope:eqversion:1.0.3

Trust: 1.0

vendor:applemodel:safariscope:eqversion:1.3

Trust: 1.0

vendor:applemodel:safariscope:eqversion:3.1.0b

Trust: 1.0

vendor:applemodel:safariscope:eqversion:1.0.0

Trust: 1.0

vendor:applemodel:safariscope:eqversion:1.0.1

Trust: 1.0

vendor:applemodel:safariscope:eqversion:1.0

Trust: 1.0

vendor:applemodel:safariscope:eqversion:1.2.1

Trust: 1.0

vendor:applemodel:safariscope:eqversion:1.2

Trust: 1.0

vendor:applemodel:safariscope:eqversion:2.0

Trust: 1.0

vendor:applemodel:safariscope:eqversion:3.0.0

Trust: 1.0

vendor:applemodel:safariscope:eqversion:3.0.4

Trust: 1.0

vendor:applemodel:safariscope:eqversion:3.1.1

Trust: 1.0

vendor:applemodel:safariscope:eqversion:3.0.2b

Trust: 1.0

vendor:applemodel:safariscope:lteversion:5.0.5

Trust: 1.0

vendor:applemodel:safariscope:eqversion:3.0.3

Trust: 1.0

vendor:applemodel:safariscope:eqversion:3.0.4b

Trust: 1.0

vendor:applemodel:safariscope:eqversion:1.0.0b2

Trust: 1.0

vendor:applemodel:safariscope:eqversion:1.0.2

Trust: 1.0

vendor:applemodel:safariscope:eqversion:3.2.0

Trust: 1.0

vendor:applemodel:safariscope:eqversion:3.2.2

Trust: 1.0

vendor:applemodel:safariscope:eqversion:4.1.1

Trust: 1.0

vendor:applemodel:safariscope:eqversion:1.2.5

Trust: 1.0

vendor:applemodel:safariscope:eqversion:3.0.2

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:v10.5.8

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:v10.6.8 and later

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.5.8

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.6.8 and later

Trust: 0.8

vendor:applemodel:safariscope:eqversion:5

Trust: 0.8

vendor:webkitmodel:open source project webkitscope:eqversion:1.2.5

Trust: 0.3

vendor:webkitmodel:open source project webkitscope:eqversion:1.2.3

Trust: 0.3

vendor:webkitmodel:open source project webkitscope:eqversion:1.2.2

Trust: 0.3

vendor:webkitmodel:open source project webkit r82222scope: - version: -

Trust: 0.3

vendor:webkitmodel:open source project webkit r77705scope: - version: -

Trust: 0.3

vendor:webkitmodel:open source project webkit r52833scope: - version: -

Trust: 0.3

vendor:webkitmodel:open source project webkit r52401scope: - version: -

Trust: 0.3

vendor:webkitmodel:open source project webkit r51295scope: - version: -

Trust: 0.3

vendor:webkitmodel:open source project webkit r38566scope: - version: -

Trust: 0.3

vendor:webkitmodel:open source project webkitscope:eqversion:1.2.x

Trust: 0.3

vendor:webkitmodel:open source project webkitscope:eqversion:1.2.2-1

Trust: 0.3

vendor:webkitmodel:open source project webkitscope:eqversion:0

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:4.0.5

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0.5

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:4.0.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0.4

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:4.0.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0.3

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:4.0.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4.0.1

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:5.0.5

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.5

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:5.0.4

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:5.0.3

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:5.0.2

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:5.0.1

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:5.0

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:4

Trust: 0.3

vendor:applemodel:safari betascope:eqversion:4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:4

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:9.2.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:9.0.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:9.0.1.8

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:9.0.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:9.0

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:9.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:9.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:8.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:8.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:8.0.2.20

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:8.0

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.2.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.2

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10.1

Trust: 0.3

vendor:applemodel:itunesscope:eqversion:10

Trust: 0.3

vendor:applemodel:safariscope:neversion:5.0.6

Trust: 0.3

vendor:applemodel:safari for windowsscope:neversion:5.1

Trust: 0.3

vendor:applemodel:safariscope:neversion:5.1

Trust: 0.3

vendor:applemodel:safari for windowsscope:neversion:5.0.6

Trust: 0.3

vendor:applemodel:itunesscope:neversion:10.5

Trust: 0.3

sources: BID: 48820 // JVNDB: JVNDB-2011-002047 // CNNVD: CNNVD-201107-332 // NVD: CVE-2011-0223

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2011-0223
value: HIGH

Trust: 1.0

NVD: CVE-2011-0223
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201107-332
value: CRITICAL

Trust: 0.6

VULHUB: VHN-48168
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2011-0223
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-48168
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-48168 // JVNDB: JVNDB-2011-002047 // CNNVD: CNNVD-201107-332 // NVD: CVE-2011-0223

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-48168 // JVNDB: JVNDB-2011-002047 // NVD: CVE-2011-0223

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 103240 // CNNVD: CNNVD-201107-332

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201107-332

CONFIGURATIONS

sources: JVNDB: JVNDB-2011-002047

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-48168

PATCH

title:HT4808url:http://support.apple.com/kb/HT4808

Trust: 0.8

sources: JVNDB: JVNDB-2011-002047

EXTERNAL IDS

db:NVDid:CVE-2011-0223

Trust: 3.1

db:BIDid:48820

Trust: 1.8

db:SECUNIAid:45325

Trust: 1.6

db:SECTRACKid:1025816

Trust: 0.8

db:OSVDBid:74000

Trust: 0.8

db:JVNDBid:JVNDB-2011-002047

Trust: 0.8

db:CNNVDid:CNNVD-201107-332

Trust: 0.7

db:APPLEid:APPLE-SA-2011-07-20-1

Trust: 0.6

db:NSFOCUSid:17909

Trust: 0.6

db:NSFOCUSid:17304

Trust: 0.6

db:PACKETSTORMid:103240

Trust: 0.2

db:VULHUBid:VHN-48168

Trust: 0.1

db:PACKETSTORMid:103216

Trust: 0.1

db:PACKETSTORMid:105708

Trust: 0.1

db:ZDIid:ZDI-11-228

Trust: 0.1

db:PACKETSTORMid:103250

Trust: 0.1

sources: VULHUB: VHN-48168 // BID: 48820 // JVNDB: JVNDB-2011-002047 // PACKETSTORM: 103216 // PACKETSTORM: 103240 // PACKETSTORM: 105708 // PACKETSTORM: 103250 // CNNVD: CNNVD-201107-332 // NVD: CVE-2011-0223

REFERENCES

url:http://support.apple.com/kb/ht4808

Trust: 1.9

url:http://lists.apple.com/archives/security-announce/2011//jul/msg00002.html

Trust: 1.7

url:http://secunia.com/advisories/45325

Trust: 1.4

url:http://www.securityfocus.com/bid/48820

Trust: 1.4

url:http://lists.apple.com/archives/security-announce/2011//oct/msg00000.html

Trust: 1.1

url:http://support.apple.com/kb/ht4981

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-0223

Trust: 0.8

url:http://jvn.jp/cert/jvnvu781747/index.html

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-0223

Trust: 0.8

url:http://osvdb.org/show/osvdb/74000

Trust: 0.8

url:http://securitytracker.com/id/1025816

Trust: 0.8

url:http://www.nsfocus.net/vulndb/17304

Trust: 0.6

url:http://www.nsfocus.net/vulndb/17909

Trust: 0.6

url:http://www.apple.com/safari/download/

Trust: 0.4

url:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=932

Trust: 0.4

url:/archive/1/520068

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2011-0223

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2011-0235

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2011-0240

Trust: 0.2

url:http://support.apple.com/kb/ht1222

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2011-0237

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2011-0200

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2011-0238

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2011-0233

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2011-0234

Trust: 0.2

url:https://www.apple.com/support/security/pgp/

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2011-0215

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2011-0204

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2011-0222

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2011-0164

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2011-0221

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2011-0218

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2011-0225

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2011-0232

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2010-1823

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2010-1420

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2011-0206

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2011-0214

Trust: 0.1

url:http://www.apple.com/support/downloads/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2011-0201

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2011-0219

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2011-0202

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2011-0217

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2011-0216

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2010-1383

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2011-0195

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2010-3829

Trust: 0.1

url:http://webkit.org/

Trust: 0.1

url:http://cve.mitre.org/),

Trust: 0.1

url:http://labs.idefense.com/

Trust: 0.1

url:http://spa-s3c.blogspot.com}.

Trust: 0.1

url:http://labs.idefense.com/intelligence/vulnerabilities/

Trust: 0.1

url:http://labs.idefense.com/methodology/vulnerability/vcp.php

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2011-0259

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2011-0253

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2011-0254

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2011-0983

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2011-1117

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2011-1109

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2011-1115

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2011-1121

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2011-0255

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2011-0981

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2011-1114

Trust: 0.1

url:http://www.apple.com/itunes/download/

Trust: 0.1

url:http://archives.neohapsis.com/archives/bugtraq/2011-07/0034.html

Trust: 0.1

url:http://secunia.com/advisories/45325/

Trust: 0.1

url:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=931

Trust: 0.1

url:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=933

Trust: 0.1

url:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=934

Trust: 0.1

url:http://secunia.com/vulnerability_intelligence/

Trust: 0.1

url:http://secunia.com/advisories/secunia_security_advisories/

Trust: 0.1

url:http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

Trust: 0.1

url:http://secunia.com/products/corporate/vim/

Trust: 0.1

url:http://www.zerodayinitiative.com/advisories/zdi-11-228/

Trust: 0.1

url:http://secunia.com/vulnerability_scanning/personal/

Trust: 0.1

url:http://secunia.com/advisories/45325/#comments

Trust: 0.1

url:https://ca.secunia.com/?page=viewadvisory&vuln_id=45325

Trust: 0.1

url:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=930

Trust: 0.1

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.1

url:http://secunia.com/advisories/about_secunia_advisories/

Trust: 0.1

sources: VULHUB: VHN-48168 // BID: 48820 // JVNDB: JVNDB-2011-002047 // PACKETSTORM: 103216 // PACKETSTORM: 103240 // PACKETSTORM: 105708 // PACKETSTORM: 103250 // CNNVD: CNNVD-201107-332 // NVD: CVE-2011-0223

CREDITS

Jose A. Vazquez

Trust: 0.9

sources: BID: 48820 // CNNVD: CNNVD-201107-332

SOURCES

db:VULHUBid:VHN-48168
db:BIDid:48820
db:JVNDBid:JVNDB-2011-002047
db:PACKETSTORMid:103216
db:PACKETSTORMid:103240
db:PACKETSTORMid:105708
db:PACKETSTORMid:103250
db:CNNVDid:CNNVD-201107-332
db:NVDid:CVE-2011-0223

LAST UPDATE DATE

2024-08-14T13:13:38.129000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-48168date:2011-10-14T00:00:00
db:BIDid:48820date:2011-10-11T19:00:00
db:JVNDBid:JVNDB-2011-002047date:2011-08-08T00:00:00
db:CNNVDid:CNNVD-201107-332date:2011-07-22T00:00:00
db:NVDid:CVE-2011-0223date:2011-10-14T02:50:01.370

SOURCES RELEASE DATE

db:VULHUBid:VHN-48168date:2011-07-21T00:00:00
db:BIDid:48820date:2011-07-20T00:00:00
db:JVNDBid:JVNDB-2011-002047date:2011-08-08T00:00:00
db:PACKETSTORMid:103216date:2011-07-21T14:16:35
db:PACKETSTORMid:103240date:2011-07-21T23:13:21
db:PACKETSTORMid:105708date:2011-10-12T02:01:36
db:PACKETSTORMid:103250date:2011-07-21T06:58:31
db:CNNVDid:CNNVD-201107-332date:1900-01-01T00:00:00
db:NVDid:CVE-2011-0223date:2011-07-21T23:55:02.037