Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Multiple vulnerabilities in Apple Safari

 

Systems Affected


Apple Safari versions prior to 8.0.7
Apple Safari versions prior to 7.1.7
Apple Safari versions prior to 6.2.7

Threat Level


High


Overview


Multiple vulnerabilities have been reported in the Webkit component of Apple Safari which could allow remote attackers to bypass intended security restrictions, access potentially sensitive information, execute arbitrary code or cause a denial of service (DoS) condition on the affected systems.


Description


1. Cross-Site Request Forgery Vulnerability ( CVE-2015-3658 )
This vulnerability exist in page loading functionality due to improper handling of redirects while sending an Origin header. A remote attacker could exploit this vulnerability by enticing users to visit a specially crafted website. Successful exploitation of this vulnerability could allow the attacker to bypass CSRF protection mechanisms and conduct Cross Site Request Forgery (CSRF) attacks.

2. Arbitrary Code Execution Vulnerability ( CVE-2015-3659 )
This vulnerability occurs due to SQLite authorizer in WebKit does not properly restrict access to SQL functions. Successful exploitation of this issue could allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted web site.

3. Cross-site scripting (XSS) Vulnerability ( CVE-2015-3660 )
This vulnerability exists in Webkit PDF functionality due to improper handling of user-supplied input. A remote attacker could exploit this vulnerability. Successful exploitation of this vulnerability could allow remote attackers to inject arbitrary web script or HTML code by enticing users to load a specially crafted URL in an embedded PDF content.

4. Information Disclosure Vulnerability ( CVE-2015-3727 )
This vulnerability occurs due to improper authorization checks for renaming operations on WebSQL tables. Successful exploitation of this vulnerability could allow remote attackers to access WebSQL databases of other web sites via an specially crafted website.


Impact



Solution/ Workarounds


Update Apple Safari to the latest versions as mentioned in Apple Security Advisory
https://support.apple.com/en-in/HT204950


References


http://www.cert-in.org.in/


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.