JVN#42676559
Safari vulnerable to local file content disclosure
Overview
Safari contains a vulnerability where a local file may be accessed from remote, which may result in a local file content disclosure.
Products Affected
- Safari prior to 6.0.1
Description
Safari contains a vulnerability where a local file may be accessed from remote, which may result in a local file content disclosure.
Impact
By opening a specially crafted HTML document as a local file, an arbitrary local file may be obtained from remote even though access from other users is restricted.
Solution
Update the software
Update to the latest version according to the information provided by the developer.
For Windows:
As of October 23, 2012, Safari for Windows which addresses to this issue is not available. Please stop use of Safari for Windows.
Vendor Status
| Vendor | Link |
| Apple | About the security content of Safari 6.0.1 |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2012.10.23
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | can be attacked over the Internet using packets |
|
| Authentication | anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file |
|
| Exploit Complexity | some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls) |
|
Credit
Masahiro YAMADA reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2012-3713 |
| JVN iPedia |
JVNDB-2012-000088 |