CVE-2016-1785
Description
The Page Loading implementation in WebKit in Apple iOS before 9.3 and Safari before 9.1 mishandles character encoding during access to cached data, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: product-security@apple.com — https://support.apple.com/HT206171
Vendor advisory: product-security@apple.com — https://support.apple.com/HT206166
Vendor advisory: product-security@apple.com — http://lists.apple.com/archives/security-announce/2016/Mar/msg00005.html
Vendor advisory: product-security@apple.com — http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| macos | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| apple | safari | {"endIncluding":"9.0.3"} | |
References
- http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html
- http://lists.apple.com/archives/security-announce/2016/Mar/msg00005.html
- http://www.securityfocus.com/archive/1/537948/100/0/threaded
- http://www.securitytracker.com/id/1035353
- https://support.apple.com/HT206166
- https://support.apple.com/HT206171
- http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html
- http://lists.apple.com/archives/security-announce/2016/Mar/msg00005.html
- http://www.securityfocus.com/archive/1/537948/100/0/threaded
- http://www.securitytracker.com/id/1035353
- https://support.apple.com/HT206166
- https://support.apple.com/HT206171
CWEs
CWE-200
Verify integrity in audit chain (admin only). AS-IS.