SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#848960

Apple Mac OS X WebKit deallocated object access vulnerability

Overview

Apple Safari WebKit fails to properly deallocate objects. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code.

I. Description

According to Apple:

    WebKit is the open source core of Apple's Safari web browser. It is available as a framework in Mac OS X for use in your applications.

More information about WebKit is available at the WebKit Project web site.

The Apple Safari WebKit component fails to properly dispose of deallocated objects. If a remote attacker persuades a user to access a specially crafted web page with Safari, that attacker may be able to cause that user to access a deallocated object leading to memory corruption.

Note that this vulnerability may affect any software that uses WebKit.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code.

III. Solution

Apply Apple Updates

Apple advises all users to apply Apple Security Update 2006-007, as it fixes this and other critical security flaws.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Computer, Inc.Vulnerable29-Nov-2006
OmniGroup, Inc.Vulnerable15-Jan-2007

References


http://docs.info.apple.com/article.html?artnum=304829
http://secunia.com/advisories/23155/
http://security-protocols.com/sp-x38-advisory.php

Credit

This vulnerability was reported in Apple Security Update 2006-007. Apple credits Tom Ferris of Security-Protocols with providing information about this vulnerability.

This document was written by Jeff Gennari based on information from Apple and Security-Protocols.

Other Information

Date Public:2006-11-28
Date First Published:2006-11-29
Date Last Updated:2007-01-15
CERT Advisory: 
CVE-ID(s):CVE-2006-4412
NVD-ID(s):CVE-2006-4412
US-CERT Technical Alerts: 
Metric:15.80
Document Revision:14

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader