APPLE-SA-2012-09-19-3 Safari 6.0.1

2012-09-24T00:00:00
ID SECURITYVULNS:DOC:28575
Type securityvulns
Reporter Securityvulns
Modified 2012-09-24T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

APPLE-SA-2012-09-19-3 Safari 6.0.1

Safari 6.0.1 is now available and addresses the following:

Safari Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 and v10.8.1 Impact: Opening a maliciously crafted downloaded HTML document may lead to the disclosure of local file content Description: In OS X Mountain Lion HTML files were removed from the unsafe type list. Quarantined HTML documents are opened in a safe mode that prevents accessing other local or remote resources. A logic error in Safari's handling of the Quarantine attribute caused the safe mode not to be triggered on Quarantined files. This issue was addressed by properly detecting the existence of the Quarantine attribute. CVE-ID CVE-2012-3713 : Aaron Sigel of vtty.com, Masahiro Yamada

Safari Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 and v10.8.1 Impact: Using Autofill on a maliciously crafted website may lead to the disclosure of contact information Description: A rare condition existed in the handling of Form Autofill. Using Form Autofill on a maliciously crafted website may have led to disclosure of information from the Address Book "Me" card that was not included in the Autofill popover. This issue was addressed by limiting Autofill to the fields contained in the popover. CVE-ID CVE-2012-3714 : Jonathan Hogervorst of Buzzera

Safari Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 and v10.8.1 Impact: After editing a HTTPS URL in the address bar, a request may be unexpectedly sent over HTTP Description: A logic issue existed in the handling of HTTPS URLs in the address bar. If a portion of the address was edited by pasting text, the request may be unexpectedly sent over HTTP. This issue was addressed by improved handling of HTTPS URLs. CVE-ID CVE-2012-3715 : Aaron Rhoads of East Watch Services LLC, Pepi Zawodsky

WebKit Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 and v10.8.1 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2011-3105 : miaubiz CVE-2012-2817 : miaubiz CVE-2012-2818 : miaubiz CVE-2012-2829 : miaubiz CVE-2012-2831 : miaubiz CVE-2012-2842 : miaubiz CVE-2012-2843 : miaubiz CVE-2012-3598 : Apple Product Security CVE-2012-3601 : Martin Barbella of the Google Chrome Security Team using AddressSanitizer CVE-2012-3602 : miaubiz CVE-2012-3606 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3607 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3612 : Skylined of the Google Chrome Security Team CVE-2012-3613 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3614 : Yong Li of Research In Motion, Inc. CVE-2012-3616 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3617 : Apple Product Security CVE-2012-3621 : Skylined of the Google Chrome Security Team CVE-2012-3622 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3623 : Skylined of the Google Chrome Security Team CVE-2012-3624 : Skylined of the Google Chrome Security Team CVE-2012-3632 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3643 : Skylined of the Google Chrome Security Team CVE-2012-3647 : Skylined of the Google Chrome Security Team CVE-2012-3648 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3649 : Dominic Cooney of Google and Martin Barbella of the Google Chrome Security Team CVE-2012-3651 : Abhishek Arya and Martin Barbella of the Google Chrome Security Team CVE-2012-3652 : Martin Barbella of Google Chrome Security Team CVE-2012-3654 : Skylined of the Google Chrome Security Team CVE-2012-3657 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3658 : Apple CVE-2012-3659 : Mario Gomes of netfuzzer.blogspot.com, Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3660 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3671 : Skylined and Martin Barbella of the Google Chrome Security Team CVE-2012-3672 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3673 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3675 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3676 : Julien Chaffraix of the Chromium development community CVE-2012-3677 : Apple CVE-2012-3684 : kuzzcc CVE-2012-3685 : Apple Product Security CVE-2012-3687 : kuzzcc CVE-2012-3688 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3692 : Skylined of the Google Chrome Security Team, Apple Product Security CVE-2012-3699 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3700 : Apple Product Security CVE-2012-3701 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3702 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3703 : Apple Product Security CVE-2012-3704 : Skylined of the Google Chrome Security Team CVE-2012-3705 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3706 : Apple Product Security CVE-2012-3707 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3708 : Apple CVE-2012-3709 : Apple Product Security CVE-2012-3710 : James Robinson of Google CVE-2012-3711 : Skylined of the Google Chrome Security Team CVE-2012-3712 : Abhishek Arya (Inferno) of the Google Chrome Security Team

For OS X Lion systems Safari 6.0.1 is available via the Apple Software Update application.

For OS X Mountain Lion systems, Safari 6.0.1 is included with OS X v10.8.2.

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJQWho/AAoJEPefwLHPlZEwG9kP/A2FKYpkYoEnaHSaCeI8W/Gt F+EjtnJ85SnVz76a81dt7O+F65pYMjMYEEHthgw62JAbZHrw93gf1dWpp+0IfXJZ w/dOV6yNxYmDOh0zir1I2tCIplkD2MvUrubcW+UCwDbVxnGKsTNBWzovHpvos2Uk lRn6Bl1wM5vOthJO14Z6iS0XX4GkefA3XzoVqY6dU0c9mxrTQhtMWvL+Pb1UpqX3 CZLcMmFGRuCE/+aM+d1x749PEteNDbrnw/aYfMyMSUNgb43EaUxCzTiUU+NvzsFL Ah33i29Li38nl+rLVgTRRU9EQVm1ZcujoftpgFw9prTd999f47eCSU5/QeDjY+Zw GLJRDfe/PP/GFKzAchefqS5x2PFUI9hZRGJEFviOEygfEPfYVCe/r/iMvBTtwfkn GVw1WIXcraqxXGzUNhCCZy3rcA8sSbJlCaIIr3VbtPS7PMHwjSaT+DBgD0hWtnk2 uATTye1UKG8m+FfwXn7ha3/W0kmdEGn1dBgpG2d35yXkGj7zgUgi4MX9HTVGTqEd Nvlzpffv5LCCdDqhRgqe4uT7fKmb46owoNNHM4eAH4A4EwHzA3lXQt5twhO9b2gL gWZ+bfwxfUaVlyBDPM1cUZ4e13HRiFPiRI9PJ2S5DrLoiMzpXIbBRH+5fs9uVvV+ zhJ+1dokzSpzRKJOq68N =xYhU -----END PGP SIGNATURE-----