About the security content of Safari 5.1 and Safari 5.0.6
This document describes the security content of Safari 5.1 and Safari 5.0.6. Safari 5.1 is included with OS X Lion.
For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To find out more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To find out more about other Security Updates, see "Apple Security Updates".
Safari 5.1 and Safari 5.0.6
CFNetwork
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack
Description: In certain situations, Safari may treat a file as HTML, even if it is served with the 'text/plain' content type. This may lead to a cross-site scripting attack on sites that allow untrusted users to post text files. This issue is addressed through improved handling of 'text/plain' content.
CVE-ID
CVE-2010-1420: Hidetake Jo working with Microsoft Vulnerability Research (MSVR), Neal Poole of Matasano Security
CFNetwork
Available for: Windows 7, Vista, XP SP2 or later
Impact: Authenticating to a maliciously crafted website may lead to arbitrary code execution
Description: The NTLM authentication protocol is susceptible to a replay attack referred to as credential reflection. Authenticating to a maliciously crafted website may lead to arbitrary code execution. To mitigate this issue, Safari has been updated to utilise protection mechanisms recently added to Windows. This issue does not affect Mac OS X systems.
CVE-ID
CVE-2010-1383: Takehiro Takahashi of IBM X-Force Research
CFNetwork
Available for: Windows 7, Vista, XP SP2 or later
Impact: A root certificate that is disabled may still be trusted
Description: CFNetwork did not properly validate that a certificate was trusted for use by a SSL server. As a result, if the user had marked a system root certificate as not trusted, Safari would still accept certificates signed by that root. This issue is addressed through improved certificate validation. This issue does not affect Mac OS X systems.
CVE-ID
CVE-2011-0214: an anonymous reporter
ColorSync
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution
Description: An integer overflow existed in the handling of images with an embedded ColorSync profile, which may lead to a heap buffer overflow. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2011-004.
CVE-ID
CVE-2011-0200: binaryproof working with TippingPoin’s Zero Day Initiative
CoreFoundation
Available for: Windows 7, Vista, XP SP2 or later
Impact: Applications that use the CoreFoundation framework may be vulnerable to an unexpected application termination or arbitrary code execution
Description: An off-by-one buffer overflow issue existed in the handling of CFStrings. Applications that use the CoreFoundation framework may be vulnerable to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
CVE-ID
CVE-2011-0201: Harry Sintonen
CoreGraphics
Available for: Windows 7, Vista, XP SP2 or later
Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
Description: An integer overflow issue existed in the handling of Type 1 fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2011-004.
CVE-ID
CVE-2011-0202: Cristian Draghici of Modulo Consulting, Felix Grobert of the Google Security Team
International Components for Unicode
Available for: Windows 7, Vista, XP SP2 or later
Impact: Applications that use ICU may be vulnerable to an unexpected application termination or arbitrary code execution
Description: A buffer overflow issue existed in ICU's handling of uppercase strings. Applications that use ICU may be vulnerable to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
CVE-ID
CVE-2011-0206: David Bienvenu of Mozilla
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2011-004.
CVE-ID
CVE-2011-0204: Dominic Chell of NGS Secure
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of CCITT Group 4 encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2011-0241: Cyril CATTIAUX of Tessi Technologies
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution
Description: A re-entrancy issue existed in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X systems.
CVE-ID
CVE-2011-0215: Juan Pablo Lopez Yacubian working with iDefense VCP
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2011-004.
CVE-ID
CVE-2011-0204: Dominic Chell of NGS Secure
libxslt
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to the disclosure of addresses on the heap
Description: libxslt's implementation of the generate-id() XPath function disclosed the address of a heap buffer. Visiting a maliciously crafted website may lead to the disclosure of addresses on the heap. This issue is addressed by generating an ID based on the difference between the addresses of two heap buffers. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2011-004.
CVE-ID
CVE-2011-0195: Chris Evans of the Google Chrome Security Team
libxml
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A one-byte heap buffer overflow existed in libxml's handling of XML data. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2011-0216: Billy Rios of the Google Security Team
Safari
Available for: Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later
Impact: If the "AutoFill web forms" feature is enabled, visiting a maliciously crafted website and typing may lead to the disclosure of information from the user's Address Book
Description: Safari's "AutoFill web forms" feature filled in non-visible form fields, and the information was accessible by scripts on the site before the user submitted the form. This issue is addressed by displaying all fields that will be filled, and requiring the user's consent before AutoFill information is available to the form.
CVE-ID
CVE-2011-0217: Florian Rienhardt of BSI, Alex Lambert, Jeremiah Grossman
Safari
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later
Impact: With a certain Java configuration, visiting a malicious website may lead to unexpected text being displayed on other sites
Description: A cross-origin issue existed in the handling of Java Applets. This applies when Java is enabled in Safari, and Java is configured to run within the browser process. Fonts loaded by a Java applet could affect the display of text content from other sites. This issue is addressed by running Java applets in a separate process.
CVE-ID
CVE-2011-0219: Joshua Smith of Kaon Interactive
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2010-1823: David Weston of Microsoft and Microsoft Vulnerability Research (MSVR), wushi of team509 and Yong Li of Research In Motion Ltd
CVE-2011-0164: Apple
CVE-2011-0218: SkyLined of Google Chrome Security Team
CVE-2011-0221: Abhishek Arya (Inferno) of Google Chrome Security Team
CVE-2011-0222: Nikita Tarakanov and Alex Bazhanyuk of the CISS Research Team and Abhishek Arya (Inferno) of Google Chrome Security Team
CVE-2011-0223: Jose A. Vazquez of spa-s3c.blogspot.com working with iDefense VCP
CVE-2011-0225: Abhishek Arya (Inferno) of Google Chrome Security Team
CVE-2011-0232: J23 working with TippingPoint's Zero Day Initiative
CVE-2011-0233: wushi of team509 working with TippingPoint's Zero Day Initiative
CVE-2011-0234: Rob King working with TippingPoint's Zero Day Initiative, wushi of team509 working with TippingPoint's Zero Day Initiative, wushi of team509 working with iDefense VCP
CVE-2011-0235: Abhishek Arya (Inferno) of Google Chrome Security Team
CVE-2011-0237: wushi of team509 working with iDefense VCP
CVE-2011-0238: Adam Barth of Google Chrome Security Team
CVE-2011-0240: wushi of team509 working with iDefense VCP
CVE-2011-0253: Richard Keen
CVE-2011-0254: An anonymous researcher working with TippingPoint's Zero Day Initiative
CVE-2011-0255: An anonymous researcher working with TippingPoint's Zero Day Initiative
CVE-2011-0981: Rik Cabanier of Adobe Systems, Inc
CVE-2011-0983: Martin Barbella
CVE-2011-1109: Sergey Glazunov
CVE-2011-1114: Martin Barbella
CVE-2011-1115: Martin Barbella
CVE-2011-1117: wushi of team509
CVE-2011-1121: miaubiz
CVE-2011-1188: Martin Barbella
CVE-2011-1203: Sergey Glazunov
CVE-2011-1204: Sergey Glazunov
CVE-2011-1288: Andreas Kling of Nokia
CVE-2011-1293: Sergey Glazunov
CVE-2011-1296: Sergey Glazunov
CVE-2011-1449: Marek Majkowski, wushi of team 509 working with iDefense VCP
CVE-2011-1451: Sergey Glazunov
CVE-2011-1453: wushi of team509 working with TippingPoint's Zero Day Initiative
CVE-2011-1457: John Knottenbelt of Google
CVE-2011-1462 : wushi of team509
CVE-2011-1797 : wushi of team509
CVE-2011-3438: wushi of team509 working with iDefense VCP
CVE-2011-3443: An anonymous researcher working with iDefense VCP
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
Description: A configuration issue existed in WebKit's use of libxslt. Visiting a maliciously crafted website may lead to arbitrary files being created with the privileges of the user, which may lead to arbitrary code execution. This issue is addressed through improved libxslt security settings.
CVE-ID
CVE-2011-1774: Nicolas Gregoire of Agarri
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an information disclosure
Description: A cross-origin issue existed in the handling of Web Workers. Visiting a maliciously crafted website may lead to an information disclosure.
CVE-ID
CVE-2011-1190: Daniel Divricean of divricean.ro
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack
Description: A cross-origin issue existed in the handling of URLs with an embedded username. Visiting a maliciously crafted website may lead to a cross-site scripting attack. This issue is addressed through improved handling of URLs with an embedded username.
CVE-ID
CVE-2011-0242: Jobert Abma of Online24
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack
Description: A cross-origin issue existed in the handling of DOM nodes. Visiting a maliciously crafted website may lead to a cross-site scripting attack.
CVE-ID
CVE-2011-1295 : Sergey Glazunov
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later
Impact: A maliciously crafted website may be able to cause a different URL to be shown in the address bar
Description: A URL spoofing issue existed in the handling of the DOM history object. A maliciously crafted website may have been able to cause a different URL to be shown in the address bar.
CVE-ID
CVE-2011-1107: Jordi Chancel
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later
Impact: Subscribing to a maliciously crafted RSS feed and clicking on a link within it may lead to an information disclosure
Description: A canonicalisation issue existed in the handling of URLs. Subscribing to a maliciously crafted RSS feed and clicking on a link within it may lead to arbitrary files being sent from the user's system to a remote server. This update addresses the issue through improved handling of URLs.
CVE-ID
CVE-2011-0244: Jason Hullinger
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later
Impact: Applications that use WebKit, such as mail clients, may connect to an arbitrary DNS server upon processing HTML content
Description: DNS prefetching was enabled by default in WebKit. Applications that use WebKit, such as mail clients, may connect to an arbitrary DNS server upon processing HTML content. This update addresses the issue by requiring applications to opt in to DNS prefetching.
CVE-ID
CVE-2010-3829: Mike Cardwell of Cardwell IT Ltd.
Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple only provides this as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.