Advisory posted on Mac OS X and Safari (File theft, code execution, etc)

[1tuhav () hushmail com]

Hello F-D,

I published details on some security holes in Apple products today, 
but heres the condensed version:

1. Launch local files URLs from Safari on Mac OS X by doing the 
following: 
   BASE HREF=file:// and document.location=/path/to/run
 
2. safar-extension:// URLs have a directory traversal issue and can 
be used to steal files and backdoor safari extensions.  this 
affected safari on windows as well as mac os x with any extension 
installed and enabled, except on windows it looks like you could 
access any file the user could

3.  help documents on mac os x check for update when loaded. they 
do so over HTTP. mac app store's help was one of the ones 
vulnerable to this.  when you MITM the update (done over HTTP, and 
with unsigned content), you could get a python or applescript 
payload to run on the victims system

These were all fixed in todays updates.  As with any bug there are 
a bunch more details if you care to know them.  I posted them here 
in case you are interested:

http://vttynotes.blogspot.com/2011/10/summary-of-vulnerability-
write-ups-on.html

Also sorry for the poor quality screen captures.  I think I 
provided enough detail for anyone to reproduce the issues 
themselves.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/