Sprachen

Archived - About the security content of Safari 3.2

This document describes the security content of Safari 3.2.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

Dieser Artikel wurde archiviert und wird von Apple nicht mehr aktualisiert.

Safari 3.2

  • Safari

    CVE-ID: CVE-2005-2096

    Available for: Windows XP or Vista

    Impact: Multiple vulnerabilities in zlib 1.2.2

    Description: Multiple vulnerabilities exist in zlib 1.2.2, the most serious of which may lead to a denial of service. This update addresses the issues by updating to zlib 1.2.3. These issues do not affect Mac OS X systems. Credit to Robbie Joosten of bioinformatics@school, and David Gunnells of the University of Alabama at Birmingham for reporting these issues.
     

  • Safari

    CVE-ID: CVE-2008-1767

    Available for: Windows XP or Vista

    Impact: Processing an XML document may lead to an unexpected application termination or arbitrary code execution

    Description: A heap buffer overflow issue exists in the libxslt library. Viewing a maliciously crafted HTML page may lead to an unexpected application termination or arbitrary code execution. Further information on the patch applied is available via http://xmlsoft.org/XSLT/ This issue does not affect Mac OS X systems that have applied Security Update 2008-007. Credit to Anthony de Almeida Lopes of Outpost24 AB, and Chris Evans of the Google Security Team for reporting this issue.

  • Safari

    CVE-ID: CVE-2008-3623

    Available for: Windows XP or Vista

    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

    Description: A heap buffer overflow exists in CoreGraphics' handling of color spaces. Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit: Apple.

  • Safari

    CVE-ID: CVE-2008-2327

    Available for: Windows XP or Vista

    Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution

    Description: Multiple uninitialized memory access issues exist in libTIFF's handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through proper memory initialization and additional validation of TIFF images. This issue is addressed in systems running Mac OS X v10.5.5 or later, and in Mac OS X v10.4.11 systems that have applied Security Update 2008-006. Credit: Apple.

  • Safari

    CVE-ID: CVE-2008-2332

    Available for: Windows XP or Vista

    Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue exits in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved processing of TIFF images. This issue is addressed in systems running Mac OS X v10.5.5 or later, and in Mac OS X v10.4.11 systems that have applied Security Update 2008-006. Credit to Robert Swiecki of the Google Security Team for reporting this issue.

  • Safari

    CVE-ID: CVE-2008-3608

    Available for: Windows XP or Vista

    Impact: Viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue exists in ImageIO's handling of embedded ICC profiles in JPEG images. Viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved processing of ICC profiles. This issue is addressed in systems running Mac OS X v10.5.5 or later, and in Mac OS X v10.4.11 systems that have applied Security Update 2008-006. Credit: Apple.

  • Safari

    CVE-ID: CVE-2008-3642

    Available for: Windows XP or Vista

    Impact: Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow exists in the handling of images with an embedded ICC profile. Opening a maliciously crafted image with an embedded ICC profile may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of ICC profiles in images. This issue does not affect Mac OS X systems that have applied Security Update 2008-007. Credit: Apple.

  • Safari

    CVE-ID: CVE-2008-3644

    Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista

    Impact: Sensitive information may be disclosed to a local console user

    Description: Disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. This may lead to the disclosure of sensitive information to a local user. This update addresses the issue by properly clearing the form data. Credit to an anonymous researcher for reporting this issue.

  • WebKit

    CVE-ID: CVE-2008-2303

    Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista

    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

    Description: A signedness issue in Safari's handling of JavaScript array indices may result in an out-of-bounds memory access. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript array indices. Credit to SkyLined of Google for reporting this issue.

  • WebKit

    CVE-ID: CVE-2008-2317

    Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista

    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue exists in WebCore's handling of style sheet elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved garbage collection. Credit to an anonymous researcher working with the TippingPoint Zero Day Initiative for reporting this issue.

  • WebKit

    CVE-ID: CVE-2008-4216

    Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista

    Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information

    Description: WebKit's plug-in interface does not block plug-ins from launching local URLs. Visiting a maliciously crafted website may allow a remote attacker to launch local files in Safari, which may lead to the disclosure of sensitive information. This update addresses the issue by restricting the types of URLs that may be launched via the plug-in interface. Credit to Billy Rios of Microsoft, and Nitesh Dhanjani of Ernst & Young for reporting this issue.

Wichtig: Der Hinweis auf Websites und Produkte Dritter dient ausschließlich informativen Zwecken und ist weder als Billigung noch als Empfehlung zu verstehen Apple übernimmt keine Verantwortung in Bezug auf die Auswahl, Leistung oder Verwendung von Informationen oder Produkten, die auf Websites Dritter angeboten werden. Apple stellt seinen Kunden diese Informationen nur als Serviceleistung zur Verfügung. Apple hat die Informationen, die auf diesen Sites angeboten werden, nicht geprüft und macht keine Angaben in Bezug auf deren Korrektheit und Zuverlässigkeit. Die Verwendung aller Informationen und Produkte, die im Internet angeboten werden, unterliegt bestimmten Risiken; Apple übernimmt diesbezüglich keine Verantwortung. Bitte haben Sie Verständnis dafür, dass Websites Dritter von Apple unabhängig sind und dass Apple keine Kontrolle über den Inhalt dieser Websites hat. Für weitere Informationen wenden Sie sich bitte an den Hersteller.

Zuletzt geändert: 09.11.2011
Hilfreich?
Ja
Nein
  • Last Modified: 09.11.2011
  • Article: HT3298
  • Views:

    500

Zusätzliche Supportinformationen zum Produkt