ID

VAR-201504-0146

CVE

CVE-2015-1128

TITLE

Apple Safari Browsing history information vulnerability in private browsing implementation

DESCRIPTION

The private-browsing implementation in Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5 allows attackers to obtain sensitive browsing-history information via vectors involving push-notification requests. Apple Safari is prone to an information-disclosure vulnerability. Attackers can exploit this issue to disclose sensitive information that may aid in further attacks. Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. The following versions are affected: Apple Safari prior to 6.2.5, 7.x prior to 7.1.5, and 8.x prior to 8.0.5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2015-04-08-1 Safari 8.0.5, Safari 7.1.5, and Safari 6.2.5 Safari 8.0.5, Safari 7.1.5, and Safari 6.2.5 are now available and address the following: Safari Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2 Impact: Users may be tracked by malicious websites using client certificates Description: An issue existed in Safari's client certificate matching for SSL authentication. This issue was addressed by improved matching of valid client certificates. CVE-ID CVE-2015-1129 : Stefan Kraus of fluid Operations AG, Sylvain Munaut of Whatever s.a. Safari Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2 Impact: Notifications preferences may reveal users' browsing history in private browsing mode Description: Responding to push notification requests in private browsing mode revealed users' browsing history. This issue was addressed by disabling push notification prompts in private browsing mode. CVE-ID CVE-2015-1128 : Joseph Winn of Credit Union Geek Safari Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2 Impact: Users' browsing history may not be completely purged Description: A state management issue existed in Safari that resulted in users' browsing history not being purged from history.plist. This issue was addressed by improved state management. CVE-ID CVE-2015-1112 : William Breuer, The Netherlands WebKit Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2015-1119 : Renata Hodovan of University of Szeged / Samsung Electronics CVE-2015-1120 : Apple CVE-2015-1121 : Apple CVE-2015-1122 : Apple CVE-2015-1124 : Apple WebKit Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2 Impact: Users' browsing history in private mode may be indexed Description: A state management issue existed in Safari that inadvertently indexed users' browsing history when in private browsing mode. This issue was addressed by improved state management. CVE-ID CVE-2015-1127 : Tyler C WebKit Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2 Impact: Visiting a maliciously crafted website may lead to resources of another origin being accessed Description: An issue existed in WebKit's credential handling for FTP URLs. This issue was addressed by improved URL decoding. CVE-ID CVE-2015-1126 : Jouko Pynnonen of Klikki Oy Safari 8.0.5, Safari 7.1.5, and Safari 6.2.5 may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJVJG6MAAoJEBcWfLTuOo7tL3cP/RVZlw3sp/ze1r1hSxcezN/Z w/uAPiqzud607Aqqwsg1YI4WzqCoIVLEb6N40eNGn7aTFkgOrBlYhsxTNHNnx2cM 3/HkDKMZo0bhO/fIqa9YfyG/KbgFKQMM0/eECNccEkQp6/DLHLJIwS0+QW0oBZ9q m9bBNTHFQxvJA9or3cn/eFV1zWVvr5RjpwR595tzWpYLIbIqTX901VAbBMOKvqtl 8b5NMmLNoEmfKGWWRqa5RmguFNnnANi3m+6PgU6fNU82dm8mif+ONDhDeyC43MH0 cxeeKZcWBGdYel9C/ctSF9SsnKhqAukIMoMppYLLL8AFHBPd504w1oXoS6UiE/go GrCXwzyxOklGQriyeMS/nsSn+AryJzQP3hXgWjAd8HuSIKCff9iaZBk5OxjK1Cwi k0zSx0qDJAHo1nlUhawYjQVhD7QEtkV7QO6hb4W22h5r/0MJGNuPsh9Mw2u6gIW6 l+p2x3D64xjfh+EclWerMhN+tqBR3RokkdkvNxhStdsz6dkA21ynaHMiaYN3lff7 DDINEP6dDiLi8AGP9P9pjYl3wMVgVTyFgMGL7cUMx8GIrm4pp8YAkhj2yWOM/ns0 Mycgrf+h0tFZYTvvojWlyo4rqx9J8te7dEiHjmg8l0OrOHXzmqQhDwOIWbH8fIGO CfE7FxlOHEHgzh+bzKvG =Df4l -----END PGP SIGNATURE-----

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

information disclosure

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Joseph Winn of Credit Union Geek

SOURCES

LAST UPDATE DATE

2025-04-13T20:07:06.479000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE