[Japanese]

JVNDB-2014-004316

Safari issue in handling application cache

Overview

Safari contains an issue in the handling of application cache where contents that were cached when the private browsing function is turned off may be used after the private browsing function is turned on.

Yosuke HASEGAWA of NetAgent Co.,Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


Apple Inc.
  • Safari versions prior to 6.2 (OS X Mavericks v10.9.5)
  • Safari versions prior to 6.2 (OS X Mountain Lion v10.8.5)
  • Safari versions prior to 7.1 (OS X Mavericks v10.9.5)
  • Safari versions prior to 7.1 (OS X Mountain Lion v10.8.5)
  • iOS prior to 8 (iPad 2 and later)
  • iOS prior to 8 (iPhone 4s and later)
  • iOS prior to 8 (iPod touch (5th generation) and later)

Impact

After a website is visited when the private browsing function is turned off and the site is visited again after the private browsing function is turned on, the website may be able to determine that the same user visited the website.
Solution

[Update the software]
Update to the latest version according to the information provided by the developer.
Vendor Information

Apple Inc.
  • Apple Security Updates : HT6441
  • Apple Security Updates : HT6440
CWE (What is CWE?)

  1. No Mapping(CWE-DesignError) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-4409
References

  1. JVN : JVNVU#93868849 (in Japanese)
  2. JVN : JVN#45442753
  3. National Vulnerability Database (NVD) : CVE-2014-4409
  4. Related Information : APPLE-SA-2014-09-17-1 iOS 8
Revision History

  • [2014/09/25]
      Web page was published