Safari URL spoofing vulnerability


Apple's Safari contains a vulnerability that allows spoofing of URLs in the address bar.

Apple's Safari is a web browser installed as default with Mac OS X.

There is a problem in Safari where URLs displayed in the address bar could be spoofed to deceive Safari users.
This could be conducted by using Unicode characters that look alike to ASCII characters as URL strings.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

Apple Inc.
  • Safari for Mac OS X (Mac OS X 10.3.x and Mac OS X 10.4.x)
  • Safari 3.0.2 and earlier (Mac OS X, Windows XP / Vista)
  • iPhone v1.0


As it is difficult for Safari users to tell whether the displayed URL is spoofed or not, an attacker could possibly conduct phising attacks.

[Update the software]

Apply the latest updates provided by the vendor.
For more information, refer to the vendor's website.
Vendor Information

Apple Inc.
CWE (What is CWE?)

  1. Resource Management Errors(CWE-399) [NVD Evaluation]
  2. Link Following(CWE-59) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2007-3742

  1. JVN : JVN#16018033
  2. National Vulnerability Database (NVD) : CVE-2007-3742
  3. SecurityFocus : 24636
  4. ISS X-Force Database : 35716
  5. FrSIRT Advisories : FrSIRT/ADV-2007-2730
Revision History

  • [2008/05/21]
      Web page published