Lucene search

K
appleAppleAPPLE:HT206171
HistoryJan 23, 2017 - 3:54 a.m.

About the security content of Safari 9.1 - Apple Support

2017-01-2303:54:36
support.apple.com
5

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other security updates, see Apple security updates.

Safari 9.1

  • Safari

Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.4

Impact: Visiting a malicious website may lead to user interface spoofing

Description: An issue existed where the text of a dialog included page-supplied text. This issue was addressed by no longer including that text.

CVE-ID

CVE-2009-2197 : Alexios Fakos of n.runs AG

  • Safari Downloads

Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.4

Impact: Visiting a maliciously crafted webpage may lead to a system denial of service

Description: An insufficient input validation issue existed in the handling of certain files. This was addressed through additional checks during file expansion.

CVE-ID

CVE-2016-1771 : Russ Cox

  • Safari Top Sites

Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.4

Impact: A website may be able to track sensitive user information

Description: A cookie storage issue existed in the Top Sites page. This issue was addressed through improved state management.

CVE-ID

CVE-2016-1772 : WoofWagly

  • WebKit

Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.4

Impact: A website may be able to track sensitive user information

Description: An issue existed in the handling of attachment URLs. This issue was addressed through improved URL handling.

CVE-ID

CVE-2016-1781 : Devdatta Akhawe of Dropbox, Inc.

  • WebKit

Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.4

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-ID

CVE-2016-1778 : 0x1byte working with Trend Micro’s Zero Day Initiative (ZDI) and Yang Zhao of CM Security

CVE-2016-1783 : Mihai Parparita of Google

  • WebKit

Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.4

Impact: A malicious website may be able to access restricted ports on arbitrary servers

Description: A port redirection issue was addressed through additional port validation.

CVE-ID

CVE-2016-1782 : Muneaki Nishimura (nishimunea) of Recruit Technologies Co.,Ltd.

  • WebKit

Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.4

Impact: Visiting a maliciously crafted website may reveal a user’s current location

Description: An issue existed in the parsing of geolocation requests. This was addressed through improved validation of the security origin for geolocation requests.

CVE-ID

CVE-2016-1779 : xisigr of Tencent’s Xuanwu Lab (www.tencent.com)

  • WebKit

Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.4

Impact: Opening a maliciously crafted URL may lead to the disclosure of sensitive user information

Description: An issue existed in URL redirection when XSS auditor was used in block mode. This issue was addressed through improved URL navigation.

CVE-ID

CVE-2016-1864 : Takeshi Terada of Mitsui Bussan Secure Directions, Inc.

  • WebKit History

Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.4

Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash

Description: A resource exhaustion issue was addressed through improved input validation.

CVE-ID

CVE-2016-1784 : Moony Li and Jack Tang of TrendMicro and 李普君 of 无声信息技术PKAV Team (PKAV.net)

  • WebKit Page Loading

Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.4

Impact: A malicious website may exfiltrate data cross-origin

Description: A caching issue existed with character encoding. This was addressed through additional request checking.

CVE-ID

CVE-2016-1785 : an anonymous researcher

  • WebKit Page Loading

Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.4

Impact: Visiting a malicious website may lead to user interface spoofing

Description: Redirect responses may have allowed a malicious website to display an arbitrary URL and read cached contents of the destination origin. This issue was addressed through improved URL display logic.

CVE-ID

CVE-2016-1786 : ma.la of LINE Corporation

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C