Safari 3.1 update fixes 13 security flaws

Apple on Tuesday released Safari 3.1 for users on Mac OS X and Windows. Along with new features are 13 security updates for the Safari browser, WebCore, and WebKit. Most of the vulnerabilities address cross-site scripting flaws. A cross-site scripting attack can inject malicious code onto a victim's computer usually via a script tag appended to a specially formed URL. The Security Update APPLE-SA-2008-03-18 can be downloaded and installed from Apple Downloads, or you can simply download the new version of Safari 3.1 directly.

Safari--certificate validation
This patch only affects users of Safari on Windows XP or Vista. The update addresses a certificate validation vulnerability in CVE-2007-4680. A remote attacker may be able to cause a certificate to appear trusted. According to Apple "a man-in-the-middle attacker may be able to direct the user to a legitimate site with a valid SSL certificate, then re-direct the user to a spoofed web site that incorrectly appears to be trusted. This could allow user credentials or other information to be collected." Apple notes that this issue does not affect systems prior to Mac OS X v10.5. Apple credits Marko Karppinen, Petteri Kamppuri, and Nikita Zhuk of MK&C for reporting this vulnerability.

Safari--malicious proxy server
This patch affects users of Safari running on Windows XP or Vista. The update addresses a malicious proxy server vulnerability in CVE-2008-0050. A removed application may still be launched via the Time Machine backup. Apple says "a malicious HTTPS proxy server may return arbitrary data to CFNetwork in a 502 Bad Gateway error, which could allow a secure website to be spoofed. This update addresses the issue by returning an error on any proxy error, instead of returning the proxy-supplied data." Apple also says that this issue has been addressed within Mac OS X 10.5.2, and in Security Update 2008-002 for Mac OS X 10.4.11 systems.

Safari--cross-site scripting 1
This patch only affects users of Safari on Windows XP or Vista and addresses a cross-site scripting vulnerability in CVE-2008-1001. Apple says "by enticing a user to open a maliciously crafted URL, an attacker may cause the disclosure of sensitive information. This update addresses the issue by performing additional validation of URLs." Apple credits Robert Swiecki of Google Information Security Team for reporting this issue.

Safari--cross-site scripting 2
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista. The update addresses a JavaScript: URLs cross-site scripting vulnerability in CVE-2008-1002. Apple says "a cross-site scripting issue exists in the processing of JavaScript: URLs. Enticing a user to visit a maliciously crafted web page could allow the execution of JavaScript in the context of another site." Apple credits Robert Swiecki of Google Information Security Team for reporting this issue.

WebCore--document.domain
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista. The update addresses a document.domain vulnerability in CVE-2008-1003. Apple says "an issue exists with the handling of web pages that have explicitly set the document.domain property. This could lead to a cross-site scripting attack in sites that set the document.domain property, or between HTTP and HTTPS sites with the same document.domain." Apple credits Adam Barth and Collin Jackson of Stanford University for reporting this issue.

WebCore--Web Inspector
This patch affects users of Mac OS X v10.5 and v10.5.1 and Mac OS X Server v10.5 and v10.5.1. The update addresses a Web Inspector vulnerability in CVE-2008-1004. Affected users may find that requesting to unblock a website leads to information disclosure. Apple says "an issue in Web Inspector allows a page being inspected to escalate its privileges by injecting script that will run in other domains and read the user's file system. This update addresses the issue by preventing JavaScript code on remote pages from being run." Apple credits Collin Jackson and Adam Barth of Stanford University for reporting this issue.

WebCore--password
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista. The update addresses a password vulnerability in CVE-2008-1005. Apple says "the content of password fields on web pages is normally hidden to guard against disclosing it to others with the ability to see the display. An issue exists with the use of the Kotoeri input method, which could result in exposing the password field content on the display when reverse conversion is requested."

WebCore--window.open() function
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista. The update addresses the window.open() function vulnerability in CVE-2008-1006. Apple says "the window.open() function may be used to change the security context of a webpage to the caller's context. Enticing a user to open a maliciously crafted page could allow an arbitrary script to be executed in the user's security context." Apple credits Adam Barth and Collin Jackson of Stanford University for reporting this issue.

WebCore--frame navigation policy
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista and addresses the frame navigation policy vulnerability in CVE-2008-1007. Apple says visiting a maliciously crafted website with Java enabled may result in cross- site scripting. Apple says "by enticing a user to open a maliciously crafted web page, an attacker may obtain elevated privileges through a cross-site scripting attack using Java." Apple credits Adam Barth and Collin Jackson of Stanford University for reporting this vulnerability.

WebCore--document.domain
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista. The update addresses a document.domain vulnerability in CVE-2008-1008. Apple says "a cross-site scripting issue exists in Safari's handling of the document.domain property. Enticing a user to visit a maliciously crafted web page may lead to the disclosure of sensitive information."

WebCore--JavaScript injection
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista. The update addresses a JavaScript injection vulnerability in CVE-2008-1009. Apple says "JavaScript injection issue exists in the handling of the history object. This may allow frames to set history object properties in all other frames loaded from the same web page. An attacker may leverage this issue to inject JavaScript that will run in the context of other frames, resulting in cross-site scripting."

WebKit--buffer overflow
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista. The update addresses the vulnerability in CVE-2008-0010. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Apple says "a buffer overflow issue exists in WebKit's handling of JavaScript regular expressions. Enticing a user to visit a maliciously crafted webpage may lead to an unexpected application termination or arbitrary code execution." Apple credits Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy and Will Drewry of Google Security Team for reporting this vulnerability.

WebKit--cross-site scripting
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista. The update addresses the vulnerability in CVE-2008-0011. Apple says "a cross-site scripting issue in WebKit allows method instances from one frame to be called in the context of another frame. Enticing a user to visit a maliciously crafted web page may lead to the disclosure of sensitive information." Apple credits David Bloom for reporting this vulnerability.