Apple Safari Disable Java Preference Failure Weakness

Bugtraq ID:	25157
Class:	Design Error
CVE:	CVE-2007-2408
Remote:	Yes
Local:	No
Published:	Jul 31 2007 12:00AM
Updated:	Aug 01 2007 09:25PM
Credit:	Rhys Kidd and and Scott Wilde reported this issue to Apple.
Vulnerable:	Apple Safari 3.0.2 Beta for Windows Apple Safari 3.0.2 Beta Apple Safari 3.0.1 Beta for Windows Apple Safari 3.0.1 Beta
Not Vulnerable:	Apple Safari 3.0.3 Beta for Windows Apple Safari 3.0.3 Beta

Apple Safari Disable Java Preference Failure Weakness

Apple Safari is prone to a weakness that may result in the execution of potentially malicious Java applets. This issue results from a design error.

This weakness arises because the application fails to properly check a security setting. Potentially malicious Java applets can be loaded from a web page regardless of the setting of the 'Enable Java' preference.

Versions prior to Safari 3.0.3 Beta and Safari 3.0.3 Beta for Windows are vulnerable to this issue.

Apple Safari Disable Java Preference Failure Weakness

An exploit is not required because an attacker can carry out this attack by enticing a user to visit a malicious site.

Apple Safari Disable Java Preference Failure Weakness

Solution:
Apple has released Safari 3 Beta Update 3.0.3 to address this issue. Please see the references for more information.


Apple Safari 3.0.1 Beta for Windows

• Apple SafariQuickTimeSetup.exe
  Safari+QuickTime for Windows XP or Vista
  http://www.apple.com/safari/download/


• Apple SafariSetup.exe
  Safari 3 Beta Update 3.0.2 for Windows XP or Vista
  http://www.apple.com/safari/download/SafariSetup.exe

Apple Safari 3.0.2 Beta

• Apple Safari3Beta.dmg
  For Mac OS X
  http://www.apple.com/safari/download/

Apple Safari 3.0.2 Beta for Windows

• Apple SafariQuickTimeSetup.exe
  Safari+QuickTime for Windows XP or Vista
  http://www.apple.com/safari/download/

Apple Safari Disable Java Preference Failure Weakness

References:

• Safari Home Page (Apple)