search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Apple Safari code execution vulnerability

Vulnerability Note VU#905292

Original Release Date: 2007-12-18 | Last Revised: 2008-01-07


The Apple Safari web browser contains a vulnerability that may allow an attacker to execute arbitrary code.


Per Apple Security Update 2007-009:

A memory corruption issue exists in Safari's handling of feed: URLs. By enticing a user to access a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of feed: URLs and providing an error message in case of an invalid URL. This issue does not affect systems running Mac OS X 10.5 or later.


A remote unauthenticated attacker who can persuade a user to click on a malicious hyperlink may be able to execute arbitrary code. Note that per Apple Security Update 2007-009 this vulnerability only affects versions of Safari shipped with Mac OS X 10.4 and earlier.



Apple has released an update to address this issue. See Apple Security Update 2007-009 for more information on obtaining updates.

Vendor Information


Apple Computer, Inc. Affected

Updated:  December 18, 2007



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


See for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



Information available in About Security Update 2007-009 was used in this report.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2007-5859
Severity Metric: 3.85
Date Public: 2007-12-18
Date First Published: 2007-12-18
Date Last Updated: 2008-01-07 18:45 UTC
Document Revision: 12

Sponsored by CISA.