ID

VAR-200901-0272

CVE

CVE-2009-0123

TITLE

Mac OS X and Windows Run on Apple Safari Vulnerable to browsing arbitrary files on client machines

DESCRIPTION

Unspecified vulnerability in Apple Safari on Mac OS X 10.5 and Windows allows remote attackers to read arbitrary files on a client machine via vectors related to the association of Safari with the (1) feed, (2) feeds, and (3) feedsearch URL types for RSS feeds. NOTE: as of 20090114, the only disclosure is a vague pre-advisory. However, because it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes. Apple Safari is prone to multiple input-validation vulnerabilities. An attacker can exploit these issues by enticing an unsuspecting victim to visit a malicious website. Successfully exploiting these issues will allow the attacker to execute arbitrary JavaScript code in the local security zone. This may allow the attacker to obtain sensitive information that can aid in further attacks; other consequences may also occur. These issues affect versions prior to Safari 3.2.2 for Windows. NOTE: This BID was previously titled 'Apple Safari RSS Feed Information Disclosure Vulnerability', but has been updated to reflect new information. A remote attacker can use specific vectors to read arbitrary files on the client machine. These vectors are associated with Safari and feedsearch URL-like connections for (1) feeds, (2) feeds, and (3) RSS feeds. ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: Apple Safari RSS Feed URL Handling Information Disclosure SECUNIA ADVISORY ID: SA33458 VERIFY ADVISORY: http://secunia.com/advisories/33458/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information WHERE: >From remote SOFTWARE: Safari 3.x http://secunia.com/advisories/product/17989/ Safari for Windows 3.x http://secunia.com/advisories/product/17978/ DESCRIPTION: Brian Mastenbrook has reported a vulnerability in Apple Safari, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an unspecified error within the handling of RSS feed URLs and can potentially be exploited to gain access to sensitive information. SOLUTION: Do not visit untrusted web sites and don't follow untrusted links. PROVIDED AND/OR DISCOVERED BY: Brian Mastenbrook ORIGINAL ADVISORY: http://brian.mastenbrook.net/display/27 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

information disclosure

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Brian Mastenbrook, Clint Ruoho of Laconic Security, and Billy Rios of Microsoft

SOURCES

LAST UPDATE DATE

2025-04-10T20:31:56.119000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE