Published: 15-03-2010
Updated: 30-11-2010
Product:
apple: safari 4.0
apple: safari 4.0.0b
apple: safari 4.0.1
apple: safari 4.0.2
apple: safari 4.0.3
apple: safari 4.0.4
Severity: Medium (4.3)
CVSS vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Attack`s vector: Victim must voluntarily interact with attack mechanism
Potential loss type: Confidentiality
Vulnerability description:
WebKit in Apple Safari before 4.0.5 does not properly validate the cross-origin loading of stylesheets, which allows remote attackers to obtain sensitive information via a crafted HTML document. NOTE: this might overlap CVE-2010-0651.
Patch available: Yes
Solution:
Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html'Safari 4.0.5 is available via the Apple Software Update application,
or Apple's Safari download site at:
http://www.apple.com/safari/download/'
References:
BID: http://www.securityfocus.com/bid/38671
XF: http://xforce.iss.net/xforce/xfdb/56837
VUPEN: http://www.vupen.com/english/advisories/2010/2722
UBUNTU: http://www.ubuntu.com/usn/USN-1006-1
SECTRACK: http://www.securitytracker.com/id?1023708
MISC: http://websec.sv.cmu.edu/css/css.pdf
CONFIRM: http://support.apple.com/kb/HT4456
CONFIRM: http://support.apple.com/kb/HT4225
CONFIRM: http://support.apple.com/kb/HT4070
SECUNIA: http://secunia.com/advisories/41856
MISC: http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-c ...
OVAL: http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:de ...
OSVDB: http://osvdb.org/62944
APPLE: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.ht ...
APPLE: http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.ht ...
APPLE: http://lists.apple.com/archives/security-announce/2010//Nov/msg00003.h ...
MISC: http://code.google.com/p/chromium/issues/detail?id=9877