ISS X-Force Database: safari-applet-security-bypass(35714): Apple Safari Java applet security bypass

Apple Safari Java applet security bypass

safari-applet-security-bypass (35714)

Medium Risk

Description:

Apple Safari could allow a remote attacker to bypass security restrictions, caused by a vulnerability within the handling of the "Enable Java" preference. By persuading a victim to visit a specially-crafted Web page, a remote attacker could exploit this vulnerability to load and run the applet, even when Java is disabled.

Platforms Affected:

Apple, Safari 3 Beta
Apple, Safari 3.0
Apple, Safari 3.0.1
Apple, Safari 3.0.1 Beta
Apple, Safari 3.0.2
Apple, Safari 3.0.2 Beta

Remedy:

Upgrade to the latest version of Apple Safari (3.0.3 beta or later), available from the Apple Safari Web site. See References.

For Mac OS:
Apply Apple Security Update 2007-007, available from the Apple Web site. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Bypass Security

References:

Apple Safari 3 Beta Update 3.0.3 , About the security content of Safari 3 Beta Update 3.0.3 at http://docs.info.apple.com/article.html?artnum=306174.
Apple Safari Web site, Apple - Safari 3 Public Beta at http://www.apple.com/safari/.
Apple Security Update 2007-007 , About Security Update 2007-007 at http://docs.info.apple.com/article.html?artnum=306172.
Apple Web site, Apple security updates at http://docs.info.apple.com/article.html?artnum=61798.
BID-25157: Apple Safari Disable Java Preference Failure Weakness
CVE-2007-2408: WebKit in Apple Safari 3 Beta before Update 3.0.3 does not properly recognize an unchecked Enable Java setting, which allows remote attackers to execute Java applets via a crafted web page.
SECTRACK ID: 1018494: Mac OS X WebCore Bugs Permit Cross-Domain Scripting Attacks and Java Settings Bypass
VUPEN/ADV-2007-2730: Apple Safari Multiple Remote Code Execution and URL Spoofing Vulnerabilities
VUPEN/ADV-2007-2732: Apple Mac OS X Multiple Code Execution and Denial of Service Vulnerabilities

Reported:

Jul 31, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page