March 18th, 2008

Apple patches cross-site scripting vulnerabilities

Posted by Larry Dignan @ 11:31 am

Categories: Apple, Exploit code, Hackers, Patch Watch, Vulnerability research, Zero-day attacks

Tags: Apple Macintosh, JavaScript, Update, Microsoft Windows Vista, Cross-site Scripting Vulnerability, Apple Inc., Apple Mac OS X, Apple Mac OS, Microsoft Windows Vista (Longhorn), Microsoft Windows XP

Apple on Tuesday patched code execution and cross-site scripting vulnerabilities on Tiger, Leopard, Vista and XP in a Safari update that included 13 patches.

Apple historically has delivered patches along with new feature or software updates. It’s easy to miss the security angle among the new Safari hubbub (Techmeme). Here’s a look at the vulnerabilities Apple plugged with its latest update.

CVE-2008-1010: This update is for Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista and addresses problems with Webkit. The problem: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution, says Apple. As for the details:

A buffer overflow issue exists in WebKit’s handling of JavaScript regular expressions. Enticing a user to visit a maliciously crafted webpage may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy and Will Drewry of Google Security Team for reporting this issue.

CVE-2008-1011: This patch addressed a cross scripting vulnerability in Webkit. The update is available for Mac OS X v10.4.11, Mac OS X v10.5.2, Windows XP or Vista. Apple notes: A cross-site scripting issue in WebKit allows method instances from one frame to be called in the context of another frame. Enticing a user to visit a maliciously crafted web page may lead to the disclosure of sensitive information. This update addresses the issue through improved handling of cross-domain method calls. Credit to David Bloom for reporting this issue.”

Other CVEs were all variations on the same cross-scripting theme. By product and CVE number:

Safari: CVE-2008-1002. This update addresses JavaScript cross scripting problems. Platforms affected: Tiger, Leopard, XP and Vista. Apple says:

A cross-site scripting issue exists in the processing of JavaScript: URLs. Enticing a user to visit a maliciously crafted web page could allow the execution of JavaScript in the context of another site. This update addresses the issue by performing additional validation of JavaScript: URLs. Credit to Robert Swiecki of Google Information Security Team for reporting this issue.

Webcore (CVE-2008-1003, CVE-2008-1004, CVE-2008-1005, CVE-2008-1006, CVE-2008-1007, CVE-2008-1008, CVE-2008-1009): These updates address cross-scripting vulnerabilities of various flavors on Leopard, Tiger, XP and Vista.