Multiple vulnerabilities have been identified in Apple Safari, which could be exploited by remote attackers to bypass security restrictions, cause a denial of service, disclose sensitive information, or execute arbitrary code.
The first issue is caused by an error in the validation of certificates, which could be exploited by an attacker to direct a user to a spoofed web site that incorrectly appears to be trusted.
The second vulnerability is caused by an error when handling 502 Bad Gateway errors sent by an HTTPS proxy server, which could allow a malicious proxy to spoof secure websites.
The third issue is caused by an input validation error in the Safari's error page when handling malformed URLs, which could be exploited to conduct cross site scripting attacks and disclose sensitive information.
The fourth vulnerability is caused by an input validation error when processing "javascript:" URLs, which could be exploited to conduct cross site scripting attacks in the context of arbitrary web sites.
The fifth issue is caused by an error when handling web pages that have explicitly set the "document.domain" property, which could lead to a cross-site scripting attack in sites that set the "document.domain" property, or between HTTP and HTTPS sites with the same "document.domain".
The sixth vulnerability is caused by an error in Web Inspector, which could allow a page being inspected to escalate its privileges by injecting script that will run in other domains and read the user's file system.
The seventh vulnerability is caused by an error when using the Kotoeri input method, which could result in exposing a password field content on the display when reverse conversion is requested.
The eighth issue is caused by an error when handling "window.open()" functions, which could be exploited to conduct cross site scripting attacks.
The ninth vulnerability is caused by a design error where frame navigation policy is not enforced for Java applets, which could be exploited to conduct cross site scripting attacks via a specially crafted Java applet.
The tenth issue is caused by an error when handling the "document.domain" property, which could be exploited to conduct cross site scripting attacks and disclose sensitive information.
The eleventh vulnerability is caused by an error when handling the "history" object, which could be exploited to conduct cross site scripting attacks and inject JavaScript in the context of arbitrary frames.
The twelfth issue is caused by a buffer overflow error in WebKit when handling malformed JavaScript regular expressions, which could be exploited by malicious web sites to crash an affected browser or execute arbitrary code.
The thirteenth vulnerability is caused by an error in WebKit that allows method instances from one frame to be called in the context of another frame, which could be exploited to conduct cross site scripting attacks and disclose sensitive information.
Credits
Vulnerabilities reported by Marko Karppinen, Petteri Kamppuri and Nikita Zhuk (MK&C), Robert Swiecki (Google Information Security Team), Adam Barth and Collin Jackson (Stanford University), Eric Seidel (WebKit Open Source Project), Tavis Ormandy and Will Drewry (Google Security Team), and David Bloom.
ChangeLog
2008-03-18 : Initial release
Vulnerability Management
Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
French
