|
Brought to you by:
Suppliers of:
|
|
|
| |
| Safari fails to sanitaze the file protocol handler thus leading to an information disclosure, e.g. local file theft. Also, creating a certain HTML tag dynamically and using a valid file path to an executable may lead to a Denial of Service condition. |
| |
Credit:
The information has been provided by Alexios Fakos.
|
| |
Vulnerable Systems:
* Safari Browser version 4.0
An attacker could trigger the vulnerability by constructing a specially prepared html file. When a user views this file, local content can be send to a third party. Additionaly, various ghost instances of Window Explorer may harm the stability of the users system.
Passing the file protocol handler to a certain HTML allows to read local files. On Windows it is possible to create an instance of Windows Explorer by calling an executable file. Other operating systems were not tested.
Patch Availability:
Apple has issued an update to correct this vulnerability. For detailed information about the fixes follow this link:
http://support.apple.com/kb/HT3613
Disclosure Timeline:
2009/06/07 Bug found
2009/06/08 Apple releases Safari 4.0 [1]
2009/06/09 Sending initial email in midnight hour (UTC/GMT +2 hours)
2009/06/10 Sending all PoC's with further description and outlining at the time of writing the initial email, n.runs was aware of new Safari release. Two PoC's (n.runs-SA-2009.005 and n.runs-SA-2009.006) are not working with new Safari release but asking to have a closer look into it.
2009/06/11 Apple response two PoC's are not working on the latest release, so Apple don't see the need for any further action. With regards to n.runs-SA-2009.004, Apple acknowledge the issue still affects Safari 4 and is looking to fix it.
2009/06/15 n.runs informs Apple to release this advisory due to time difference
2009/06/23 n.runs releases this advisory
|
|
|
|
|
