Safari Script Editor AppleScript execution

2015-11-02T00:00:00
ID SAINT:6D0303C56098956018FAC37F887992D7
Type saint
Reporter SAINT Corporation
Modified 2015-11-02T00:00:00

Description

Added: 11/02/2015
CVE: CVE-2015-7007
BID: 77266

Background

Safari is a web browser for Mac OS X and Windows.

Problem

A vulnerability in the OS X Script Editor allows a malicious web page to execute arbitrary AppleScript code without user confirmation by enticing a user to type Control-R in Safari.

Resolution

Upgrade to OS X 10.11.1 or apply Security Update 2015-007.

References

<https://support.apple.com/en-us/HT205375>

Limitations

A user must load the exploit page in Safari and type Control-R in order for the exploit to succeed.

Platforms

Mac OS X