Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-2841

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2009-2841
Last Modified 17 Mar 2011 10:40:45
Published 13 Nov 2009 10:30:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2009-2841

Summary

The HTMLMediaElement::loadResource function in html/HTMLMediaElement.cpp in WebCore in WebKit before r49480, as used in Apple Safari before 4.0.4 on Mac OS X, does not perform the expected callbacks for HTML 5 media elements that have external URLs for media resources, which allows remote attackers to trigger sub-resource requests to arbitrary web sites via a crafted HTML document, as demonstrated by an HTML e-mail message that uses a media element for X-Confirm-Reading-To functionality, aka rdar problem 7271202.

Vulnerable Systems

Application

  • Apple Safari 0.8

  • Apple Safari 0.9

  • Apple Safari 1.0

  • Apple Safari 1.0.0

  • Apple Safari 1.0.0b1

  • Apple Safari 1.0.0b2

  • Apple Safari 1.0.1

  • Apple Safari 1.0.2

  • Apple Safari 1.0.3

  • Apple Safari 1.1.0

  • Apple Safari 1.1.1

  • Apple Safari 1.2

  • Apple Safari 1.2.0

  • Apple Safari 1.2.1

  • Apple Safari 1.2.2

  • Apple Safari 1.2.3

  • Apple Safari 1.2.4

  • Apple Safari 1.2.5

  • Apple Safari 1.3

  • Apple Safari 1.3.0

  • Apple Safari 1.3.1

  • Apple Safari 1.3.2

  • Apple Safari 2

  • Apple Safari 2.0

  • Apple Safari 2.0 Pre

  • Apple Safari 2.0.0

  • Apple Safari 2.0.1

  • Apple Safari 2.0.2

  • Apple Safari 2.0.3

  • Apple Safari 2.0.3 417.9.3

  • Apple Safari 2.0.4

  • Apple Safari 2.0.4 419.3

  • Apple Safari 3

  • Apple Safari 3.0

  • Apple Safari 3.0.0

  • Apple Safari 3.0.0b

  • Apple Safari 3.0.1

  • Apple Safari 3.0.1b

  • Apple Safari 3.0.2

  • Apple Safari 3.0.2b

  • Apple Safari 3.0.3

  • Apple Safari 3.0.3b

  • Apple Safari 3.0.4

  • Apple Safari 3.0.4 Beta

  • Apple Safari 3.0.4b

  • Apple Safari 3.1

  • Apple Safari 3.1.0

  • Apple Safari 3.1.0b

  • Apple Safari 3.1.1

  • Apple Safari 3.1.2

  • Apple Safari 3.2

  • Apple Safari 3.2.0

  • Apple Safari 3.2.1

  • Apple Safari 3.2.2

  • Apple Safari 3.2.3

  • Apple Safari 4.0

  • Apple Safari 4.0.0b

  • Apple Safari 4.0.1

  • Apple Safari 4.0.2

  • Apple Safari 4.0.3


References

CONFIRM - http://support.apple.com/kb/HT3949

APPLE - APPLE-SA-2009-11-11-1

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=525791

XF - safari-5media-security-bypass(54242)

VUPEN - ADV-2011-0552

VUPEN - ADV-2011-0212

VUPEN - ADV-2010-2722

VUPEN - ADV-2010-1801

VUPEN - ADV-2009-3217

UBUNTU - USN-1006-1

SECTRACK - 1023167

BID - 36996

MANDRIVA - MDVSA-2011:039

CONFIRM - http://trac.webkit.org/changeset/49480

MISC - http://threatpost.com/en_us/blogs/apple-patches-critical-safari-vulnerabilities-111109

CONFIRM - http://support.apple.com/kb/HT4013

SECUNIA - 43068

SECUNIA - 41856

SECUNIA - 40557

SECUNIA - 37346

OSVDB - 59941

SUSE - SUSE-SR:2011:002

FEDORA - FEDORA-2010-11020

FEDORA - FEDORA-2010-11011

APPLE - APPLE-SA-2010-02-02-1

Related Patches

Apple 2009-11-11 Safari Update 4.0.4 (Snow Leopard)

Apple 2009-11-11 Safari Update 4.0.4 (Tiger)

Apple 2009-11-11 Safari Update 4.0.4 (Leopard)


Last Updated: 27 May 2016 10:51:02