Details of VAR-201003-0142

ID

VAR-201003-0142

CVE

CVE-2010-0063

TITLE

Apple Mac OS X of CoreTypes In any JavaScript Vulnerability to be executed

Trust: 0.8

sources: JVNDB: JVNDB-2010-001246

DESCRIPTION

Incomplete blacklist vulnerability in CoreTypes in Apple Mac OS X before 10.6.3 makes it easier for user-assisted remote attackers to execute arbitrary JavaScript via a web page that offers a download with a Content-Type value that is not on the list of possibly unsafe content types for Safari, as demonstrated by the values for the (1) .ibplugin and (2) .url extensions. Remote attackers can exploit this issue to trick a user into executing arbitrary code if affected content types are downloaded and manually opened from a malicious website. The following are vulnerable: Mac OS X 10.5.8 Mac OS X Server 10.5.8 Mac OS X 10.6 prior to 10.6.3 Mac OS X Server 10.6 prior to 10.6.3 NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. There is an incomplete blacklist vulnerability in CoreTypes of Apple Mac OS. This update adds the .ibplugin and .url file types to the list of content types that the system marks as unsafe

Trust: 1.98

sources: NVD: CVE-2010-0063 // JVNDB: JVNDB-2010-001246 // BID: 39175 // VULHUB: VHN-42668

AFFECTED PRODUCTS

vendor:	apple	model:	mac os x server	scope:	eq	version:	10.5.6	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.5.2	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.5.1	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.5.4	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.5	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.5.5	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.5.0	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.5.8	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.5.7	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.5.3	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.6.0	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.5	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.5.2	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.5.6	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.5.5	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.6.1	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	lte	version:	10.6.2	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.5.8	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.5.3	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.5.0	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.6.0	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.6.1	Trust: 1.0
vendor:	apple	model:	mac os x server	scope:	lte	version:	10.6.2	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.5.1	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.5.7	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.5.4	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	v10.5.8	Trust: 0.8
vendor:	apple	model:	mac os x	scope:	eq	version:	v10.6 to v10.6.2	Trust: 0.8
vendor:	apple	model:	mac os x server	scope:	eq	version:	v10.5.8	Trust: 0.8
vendor:	apple	model:	mac os x server	scope:	eq	version:	v10.6 to v10.6.2	Trust: 0.8
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6.2	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.8	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.7	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.6	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.5	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.4	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.3	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.2	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6.2	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.8	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.7	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.6	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.4	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.3	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.2	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	ne	version:	x10.6.3	Trust: 0.3
vendor:	apple	model:	mac os	scope:	ne	version:	x10.6.3	Trust: 0.3

sources: BID: 39175 // JVNDB: JVNDB-2010-001246 // CNNVD: CNNVD-201003-457 // NVD: CVE-2010-0063

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2010-0063
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2010-0063
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201003-457
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-42668
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2010-0063
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-42668
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-42668 // JVNDB: JVNDB-2010-001246 // CNNVD: CNNVD-201003-457 // NVD: CVE-2010-0063

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-Other	Trust: 0.8

sources: JVNDB: JVNDB-2010-001246 // NVD: CVE-2010-0063

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201003-457

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201003-457

CONFIGURATIONS

sources: JVNDB: JVNDB-2010-001246

PATCH

title:	HT4077	url:	http://support.apple.com/kb/HT4077	Trust: 0.8
title:	HT4077	url:	http://support.apple.com/kb/HT4077?viewlocale=ja_JP	Trust: 0.8

sources: JVNDB: JVNDB-2010-001246

EXTERNAL IDS

db:	NVD	id:	CVE-2010-0063	Trust: 2.8
db:	JVNDB	id:	JVNDB-2010-001246	Trust: 0.8
db:	CNNVD	id:	CNNVD-201003-457	Trust: 0.7
db:	NSFOCUS	id:	14715	Trust: 0.6
db:	APPLE	id:	APPLE-SA-2010-03-29-1	Trust: 0.6
db:	BID	id:	39175	Trust: 0.4
db:	VULHUB	id:	VHN-42668	Trust: 0.1

sources: VULHUB: VHN-42668 // BID: 39175 // JVNDB: JVNDB-2010-001246 // CNNVD: CNNVD-201003-457 // NVD: CVE-2010-0063

REFERENCES

url:	http://lists.apple.com/archives/security-announce/2010//mar/msg00001.html	Trust: 1.7
url:	http://support.apple.com/kb/ht4077	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-0063	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-0063	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/14715	Trust: 0.6
url:	http://www.apple.com/macosx/	Trust: 0.3

sources: VULHUB: VHN-42668 // BID: 39175 // JVNDB: JVNDB-2010-001246 // CNNVD: CNNVD-201003-457 // NVD: CVE-2010-0063

CREDITS

Michael KisorDamian Put pucik@cc-team.org

Trust: 0.6

sources: CNNVD: CNNVD-201003-457

SOURCES

db:	VULHUB	id:	VHN-42668
db:	BID	id:	39175
db:	JVNDB	id:	JVNDB-2010-001246
db:	CNNVD	id:	CNNVD-201003-457
db:	NVD	id:	CVE-2010-0063

LAST UPDATE DATE

2025-04-11T19:38:20.404000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-42668	date:	2010-03-31T00:00:00
db:	BID	id:	39175	date:	2010-03-29T00:00:00
db:	JVNDB	id:	JVNDB-2010-001246	date:	2010-04-13T00:00:00
db:	CNNVD	id:	CNNVD-201003-457	date:	2010-03-31T00:00:00
db:	NVD	id:	CVE-2010-0063	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-42668	date:	2010-03-30T00:00:00
db:	BID	id:	39175	date:	2010-03-29T00:00:00
db:	JVNDB	id:	JVNDB-2010-001246	date:	2010-04-13T00:00:00
db:	CNNVD	id:	CNNVD-201003-457	date:	2010-03-30T00:00:00
db:	NVD	id:	CVE-2010-0063	date:	2010-03-30T18:30:00.420