Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:519473
HistoryMay 12, 2006 - 12:00 a.m.

Apple Safari fails to properly handle archive files containing symbolic links

2006-05-1200:00:00
www.kb.cert.org
15

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:N/I:P/A:N

0.006 Low

EPSS

Percentile

78.3%

JSON

Overview

Apple Safari fails to properly handle archive files that contain symbolic links, which may allow a remote, unauthenticated attacker to execute arbitrary code.

Description

Safari

Apple Safari is a web browser that comes with the Mac OS X operating system.

Symbolic links

Symbolic links are references to files and folders.

“Safe” files

By default, Safari will automatically open “safe” file types, such as pictures, movies, and archive files, including ZIP files. If the contents of an archive file are also considered safe, then Safari will automatically open the contents after the archive is extracted.

The problem

Safari can automatically execute the symbolic link target when it is automatically extracted.

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.

Solution

Apply an update
Apply Apple Security Update 2006-003. With this update, Safari will not resolve downloaded symbolic links.

Disable “Open ‘safe’ files after downloading”

Disable the option “Open ‘safe’ files after downloading,” as specified in the Securing Your Web Browser document. This will help prevent automatic exploitation of this and other vulnerabilities.

Vendor Information

519473

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Computer, Inc. __ Affected

Notified: May 12, 2006 Updated: May 12, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Apple Security Update 2006-003.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23519473 Feedback>).

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Apple Product Security for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2006-1457
Severity Metric: 16.07 Date Public:

Related

prion 1
cve 1
nessus 1
prion
prion
Design/Logic Flaw
2006-05-12 21:02:00
cve
cve
CVE-2006-1457
2006-05-12 21:02:00
nessus
nessus
Mac OS X Multiple Vulnerabilities (Security Update 2006-003)
2006-05-12 00:00:00

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:N/I:P/A:N

0.006 Low

EPSS

Percentile

78.3%

JSON
Related for VU:519473
prion1cve1nessus1