| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 Oct 2011 15:19:08 -0400 From: 1tuhav@...hmail.com To: full-disclosure@...ts.grok.org.uk Subject: Advisory posted on Mac OS X and Safari (File theft, code execution, etc) Hello F-D, I published details on some security holes in Apple products today, but heres the condensed version: 1. Launch local files URLs from Safari on Mac OS X by doing the following: BASE HREF=file:// and document.location=/path/to/run 2. safar-extension:// URLs have a directory traversal issue and can be used to steal files and backdoor safari extensions. this affected safari on windows as well as mac os x with any extension installed and enabled, except on windows it looks like you could access any file the user could 3. help documents on mac os x check for update when loaded. they do so over HTTP. mac app store's help was one of the ones vulnerable to this. when you MITM the update (done over HTTP, and with unsigned content), you could get a python or applescript payload to run on the victims system These were all fixed in todays updates. As with any bug there are a bunch more details if you care to know them. I posted them here in case you are interested: http://vttynotes.blogspot.com/2011/10/summary-of-vulnerability- write-ups-on.html Also sorry for the poor quality screen captures. I think I provided enough detail for anyone to reproduce the issues themselves. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists