==================================================================== CERT-Renater Note d'Information No. 2016/VULN277 _____________________________________________________________________ DATE : 19/07/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Safari web browser ===================================================================== https://support.apple.com/en-au/HT206900 ____________________________________________________________________ APPLE-SA-2016-07-18-5 Safari 9.1.2 Safari 9.1.2 is now available and addresses the following: WebKit Available for: OS X El Capitan v10.11.6 Impact: Visiting a malicious website may disclose image data from another website Description: A timing issue existed in the processing of SVG. This issue was addressed through improved validation. CVE-2016-4583 : Roeland Krak WebKit Available for: OS X El Capitan v10.11.6 Impact: Visiting a malicious website may lead to user interface spoofing Description: An origin inheritance issue existed in parsing of about: URLs. This was addressed through improved validation of security origins. CVE-2016-4590 : xisigr of Tencent's Xuanwu Lab (www.tencent.com) WebKit Available for: OS X El Capitan v10.11.6 Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4586 : Apple CVE-2016-4589 : Tongbo Luo and Bo Qu of Palo Alto Networks CVE-2016-4622 : Samuel Gross working with Trend Microâ\x{128}\x{153}s Zero Day Initiative CVE-2016-4623 : Apple CVE-2016-4624 : Apple WebKit Available for: OS X El Capitan v10.11.6 Impact: Visiting a maliciously crafted website may result in the disclosure of process memory Description: A memory initialization issue was addressed through improved memory handling. CVE-2016-4587 : Apple WebKit Available for: OS X El Capitan v10.11.6 Impact: Visiting a maliciously crafted webpage may lead to a system denial of service Description: A memory consumption issue was addressed through improved memory handling. CVE-2016-4592 : Mikhail WebKit Available for: OS X El Capitan v10.11.6 Impact: Visiting a maliciously crafted website may compromise user information on the file system Description: A permissions issue existed in the handling of the location variable. This was addressed though additional ownership checks. CVE-2016-4591 : ma.la of LINE Corporation WebKit JavaScript Bindings Available for: OS X El Capitan v10.11.6 Impact: Visiting a maliciously crafted website may lead to script execution in the context of a non-HTTP service Description: A cross-protocol cross-site scripting (XPXSS) issue existed in Safari when submitting forms to non-HTTP services compatible with HTTP/0.9. This issue was addressed by disabling scripts and plugins on resources loaded over HTTP/0.9. CVE-2016-4651 : Obscure WebKit Page Loading Available for: OS X El Capitan v10.11.6 Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4584 : Chris Vienneau WebKit Page Loading Available for: OS X El Capitan v10.11.6 Impact: A malicious website may exfiltrate data cross-origin Description: A cross-site scripting issue existed in Safari URL redirection. This issue was addressed through improved URL validation on redirection. CVE-2016-4585 : Takeshi Terada of Mitsui Bussan Secure Directions, Inc. (www.mbsd.jp) Safari 9.1.2 may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT201222 ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================