alerts

Follow @SLCERT

Home
About Us
Services
Knowledge Base
- Policies
- Case Studies
- Best Practices
- Security Tools
- Cyber Guardian
- Alerts
- General
- News
- Statistics
- FAQ
Procurement
Downloads
Events
Contact Us
- Contact Us
- Subscribe

News

More...

Alerts

More...

Events

More...

Multiple vulnerabilities in Apple Safari

Systems Affected

Apple Safari versions prior to 8.0.7
Apple Safari versions prior to 7.1.7
Apple Safari versions prior to 6.2.7

Threat Level

			High

Overview

Multiple vulnerabilities have been reported in the Webkit component of Apple Safari which could allow remote attackers to bypass intended security restrictions, access potentially sensitive information, execute arbitrary code or cause a denial of service (DoS) condition on the affected systems.

Description

1. Cross-Site Request Forgery Vulnerability ( CVE-2015-3658 )
This vulnerability exist in page loading functionality due to improper handling of redirects while sending an Origin header. A remote attacker could exploit this vulnerability by enticing users to visit a specially crafted website. Successful exploitation of this vulnerability could allow the attacker to bypass CSRF protection mechanisms and conduct Cross Site Request Forgery (CSRF) attacks.

2. Arbitrary Code Execution Vulnerability ( CVE-2015-3659 )
This vulnerability occurs due to SQLite authorizer in WebKit does not properly restrict access to SQL functions. Successful exploitation of this issue could allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted web site.

3. Cross-site scripting (XSS) Vulnerability ( CVE-2015-3660 )
This vulnerability exists in Webkit PDF functionality due to improper handling of user-supplied input. A remote attacker could exploit this vulnerability. Successful exploitation of this vulnerability could allow remote attackers to inject arbitrary web script or HTML code by enticing users to load a specially crafted URL in an embedded PDF content.

4. Information Disclosure Vulnerability ( CVE-2015-3727 )
This vulnerability occurs due to improper authorization checks for renaming operations on WebSQL tables. Successful exploitation of this vulnerability could allow remote attackers to access WebSQL databases of other web sites via an specially crafted website.

Impact

Solution/ Workarounds

Update Apple Safari to the latest versions as mentioned in Apple Security Advisory
https://support.apple.com/en-in/HT204950

References

http://www.cert-in.org.in/

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.