Apple Releases Patch for Cross-Site Scripting Vulnerability

Published: 2007-06-24
Last Updated: 2007-06-24 02:51:06 UTC
by Tony Carothers (Version: 1)
0 comment(s)

On Thursday Apple releases a patch which addresses a cross-site scripting vulnerability.  These can be downloaded from Apple Update or Apple Software Downloads.

From the Apple website

 

  • WebCore

    CVE-ID: CVE-2007-2401

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later

    Impact: Visiting a malicious website may allow cross-site requests

    Description: An HTTP injection issue exists in XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could conduct cross-site scripting attacks. This update addresses the issue by performing additional validation of header parameters. Credit to Richard Moore of Westpoint Ltd. for reporting this issue.

  • WebKit

    CVE-ID: CVE-2007-2399

    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later, Mac OS X Server v10.4.9 or later

    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

    Description: An invalid type conversion when rendering frame sets could lead to memory corruption. Visiting a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution. Credit to Rhys Kidd of Westnet for reporting this issue.

Keywords:
0 comment(s)
Diary Archives