Apple Safari for Mac OS X Multiple Vulnerabilities

SA50577

CVE-2011-3105, CVE-2012-2817, CVE-2012-2818, CVE-2012-2829, CVE-2012-2831, CVE-2012-2842, CVE-2012-2843, CVE-2012-3598, CVE-2012-3601, CVE-2012-3602, CVE-2012-3606, CVE-2012-3607, CVE-2012-3612, CVE-2012-3613, CVE-2012-3614, CVE-2012-3616, CVE-2012-3617, CVE-2012-3621, CVE-2012-3622, CVE-2012-3623, CVE-2012-3624, CVE-2012-3632, CVE-2012-3643, CVE-2012-3647, CVE-2012-3648, CVE-2012-3649, CVE-2012-3651, CVE-2012-3652, CVE-2012-3654, CVE-2012-3657, CVE-2012-3658, CVE-2012-3659, CVE-2012-3660, CVE-2012-3671, CVE-2012-3672, CVE-2012-3673, CVE-2012-3675, CVE-2012-3676, CVE-2012-3677, CVE-2012-3684, CVE-2012-3685, CVE-2012-3687, CVE-2012-3688, CVE-2012-3692, CVE-2012-3699, CVE-2012-3700, CVE-2012-3701, CVE-2012-3702, CVE-2012-3703, CVE-2012-3704, CVE-2012-3705, CVE-2012-3706, CVE-2012-3707, CVE-2012-3708, CVE-2012-3709, CVE-2012-3710, CVE-2012-3711, CVE-2012-3712, CVE-2012-3713, CVE-2012-3714, CVE-2012-3715

20 Sep 2012

23 Oct 2012

Highly Critical

Vendor Patch

Apple Safari 6.x

From remote

System access

This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.

Exposure of sensitive information

Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote.

Security Bypass

This covers vulnerabilities or security issues where malicious users or people can bypass certain security mechanisms of the application.

The actual impact varies significantly depending on the design and purpose of the affected application.

Multiple vulnerabilities have been reported in Safari, which can be exploited by malicious people to bypass certain security restrictions, gain knowledge of sensitive information, or compromise a user's system.

1) A logic error in the handling of the Quarantine attribute when opening HTML documents in safe mode can be exploited to cause the document to not be opened in safe mode and disclose the contents of arbitrary files.

2) An error in the handling of Form Autofill may lead to Address Book "Me" card details being disclosed when using Form Autofill on a specially crafted web page.

3) A logic error when handling HTTPS URLs in the address bar may cause a request to be unexpectedly sent over HTTP if part of the request in the address bar was edited by pasting text.

4) A use-after-free error in the Webkit Cascading Style Sheets (CSS) implementation when handling the :first-letter pseudo-element can be exploited to dereference already freed memory.

5) A use-after-free error in Webkit when handling tables with sections can be exploited to dereference already freed memory.

6) A use-after-free error in Webkit when handling the layout of documents using the Cascading Style Sheets (CSS) counters feature can be exploited to dereference already freed memory.

7) A use-after-free error in the Webkit Cascading Style Sheets (CSS) implementation when handling the :first-letter pseudo-element can be exploited to dereference already freed memory.

8) A use-after-free error in Webkit when handling SVG references can be exploited to dereference already freed memory.

9) A use-after-free error in Webkit when handling counters can be exploited to dereference already freed memory.

10) A use-after-free error in Webkit when handling layout height tracking can be exploited to dereference already freed memory.

11) An unspecified error in Webkit can be exploited to corrupt memory.

12) An unspecified error in Webkit can be exploited to corrupt memory.

13) An unspecified error in Webkit can be exploited to corrupt memory.

14) An unspecified error in Webkit can be exploited to corrupt memory.

15) An unspecified error in Webkit can be exploited to corrupt memory.

16) An unspecified error in Webkit can be exploited to corrupt memory.

17) An unspecified error in Webkit can be exploited to corrupt memory.

18) An unspecified error in Webkit can be exploited to corrupt memory.

19) An unspecified error in Webkit can be exploited to corrupt memory.

20) An unspecified error in Webkit can be exploited to corrupt memory.

21) An unspecified error in Webkit can be exploited to corrupt memory.

22) An unspecified error in Webkit can be exploited to corrupt memory.

23) An unspecified error in Webkit can be exploited to corrupt memory.

24) An unspecified error in Webkit can be exploited to corrupt memory.

25) An unspecified error in Webkit can be exploited to corrupt memory.

26) An unspecified error in Webkit can be exploited to corrupt memory.

27) An unspecified error in Webkit can be exploited to corrupt memory.

28) An unspecified error in Webkit can be exploited to corrupt memory.

29) An unspecified error in Webkit can be exploited to corrupt memory.

30) An unspecified error in Webkit can be exploited to corrupt memory.

31) An unspecified error in Webkit can be exploited to corrupt memory.

32) An unspecified error in Webkit can be exploited to corrupt memory.

33) An unspecified error in Webkit can be exploited to corrupt memory.

34) An unspecified error in Webkit can be exploited to corrupt memory.

35) An unspecified error in Webkit can be exploited to corrupt memory.

36) An unspecified error in Webkit can be exploited to corrupt memory.

37) An unspecified error in Webkit can be exploited to corrupt memory.

38) An unspecified error in Webkit can be exploited to corrupt memory.

39) An unspecified error in Webkit can be exploited to corrupt memory.

40) An unspecified error in Webkit can be exploited to corrupt memory.

41) An unspecified error in Webkit can be exploited to corrupt memory.

42) An unspecified error in Webkit can be exploited to corrupt memory.

43) An unspecified error in Webkit can be exploited to corrupt memory.

44) An unspecified error in Webkit can be exploited to corrupt memory.

45) An unspecified error in Webkit can be exploited to corrupt memory.

46) An unspecified error in Webkit can be exploited to corrupt memory.

47) An unspecified error in Webkit can be exploited to corrupt memory.

48) An unspecified error in Webkit can be exploited to corrupt memory.

49) An unspecified error in Webkit can be exploited to corrupt memory.

50) An unspecified error in Webkit can be exploited to corrupt memory.

51) An unspecified error in Webkit can be exploited to corrupt memory.

52) An unspecified error in Webkit can be exploited to corrupt memory.

53) An unspecified error in Webkit can be exploited to corrupt memory.

54) An unspecified error in Webkit can be exploited to corrupt memory.

55) An unspecified error in Webkit can be exploited to corrupt memory.

56) An unspecified error in Webkit can be exploited to corrupt memory.

57) An unspecified error in Webkit can be exploited to corrupt memory.

58) An unspecified error in Webkit can be exploited to corrupt memory.

59) An unspecified error in Webkit can be exploited to corrupt memory.

60) An unspecified error in Webkit can be exploited to corrupt memory.

61) An unspecified error in Webkit can be exploited to corrupt memory.

Update to version 6.0.1.

The vendor credits:
1) Aaron Sigel, vtty.com and Masahiro Yamada
2) Jonathan Hogervorst, Buzzera
3) Aaron Rhoads, East Watch Services LLC and Pepi Zawodsky
4-10, 13) miaubiz
11, 20, 34, 42, 44, 47, 49, 52, 55, 57, 58) Apple Product Security
12) Martin Barbella, Google Chrome Security Team
14, 15, 17, 19, 22, 25, 28, 33, 36, 38-40, 46, 48, 50, 51, 54, 56, 61) Abhishek Arya (Inferno), Google Chrome Security Team
16, 21, 23, 24, 26, 27, 32, 47, 53, 60) Skylined, Google Chrome Security Team
18) Yong Li, Research In Motion
29) Dominic Cooney, Google and Martin Barbella, Google Chrome Security Team
30) Abhishek Arya and Martin Barbella, Google Chrome Security Team
31) Martin Barbella, Google Chrome Security Team
35) Mario Gomes, netfuzzer.blogspot.com and Abhishek Arya (Inferno), Google Chrome Security Team
37) Skylined and Martin Barbella, Google Chrome Security Team
41) Julien Chaffraix, Chromium development community
43, 45) kuzzcc
59) James Robinson of Google

Apple:
http://support.apple.com/kb/HT5502