Full Disclosure mailing list archives
Advisory posted on Mac OS X and Safari (File theft, code execution, etc)
From: 1tuhav () hushmail com
Date: Wed, 12 Oct 2011 15:19:08 -0400
Hello F-D, I published details on some security holes in Apple products today, but heres the condensed version: 1. Launch local files URLs from Safari on Mac OS X by doing the following: BASE HREF=file:// and document.location=/path/to/run 2. safar-extension:// URLs have a directory traversal issue and can be used to steal files and backdoor safari extensions. this affected safari on windows as well as mac os x with any extension installed and enabled, except on windows it looks like you could access any file the user could 3. help documents on mac os x check for update when loaded. they do so over HTTP. mac app store's help was one of the ones vulnerable to this. when you MITM the update (done over HTTP, and with unsigned content), you could get a python or applescript payload to run on the victims system These were all fixed in todays updates. As with any bug there are a bunch more details if you care to know them. I posted them here in case you are interested: http://vttynotes.blogspot.com/2011/10/summary-of-vulnerability- write-ups-on.html Also sorry for the poor quality screen captures. I think I provided enough detail for anyone to reproduce the issues themselves. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Advisory posted on Mac OS X and Safari (File theft, code execution, etc) 1tuhav (Oct 13)