Microsoft Vulnerability Research Advisory MSVR11-002
HTML5 Implementation in Chrome, Opera, and Safari Could Allow Information Disclosure
Published: | Updated:
Microsoft is providing notification of the discovery and remediation of a vulnerability affecting Google Chrome browser versions 8.0.552.210 and earlier; Opera browser versions 10.62 and earlier; and Safari browser versions 4.1.2 and earlier, Safari browser versions 5.0.2 and earlier, and Safari browser on iOS 4.1 and earlier. Microsoft discovered and disclosed the vulnerability under coordinated vulnerability disclosure to the respective affected vendors, Google Inc., Opera Software ASA, and Apple Inc. Google Inc., Opera Software ASA, and Apple Inc. have remediated the vulnerability in their respective software.
An information disclosure vulnerability exists in the implementation of HTML5 in these Web browsers. Specifically, as the World Wide Web Consortium (W3C) describes in the HTML5 specification for security with canvas elements, information leakage can occur if scripts from one origin can access information from another origin. For more information, see HTML5: A vocabulary and associated APIs for HTML and XHTML, "Security with canvas elements." An attacker who successfully exploited this vulnerability could obtain private information. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but the attacker could use the information gained to try to further compromise the affected system.
Microsoft Vulnerability Research reported this issue to and coordinated with Google Inc., Opera Software ASA, and Apple Inc. to ensure remediation of this issue. The vulnerability in Google Chrome has been assigned the entry, CVE-2010-4483, in the Common Vulnerabilities and Exposures list. For more information, including information about updates from Google, see Google Chrome Releases: Stable, Beta Channel Updates (December 2, 2010). The vulnerability in Opera has been assigned the entry, CVE-2010-4046, in the Common Vulnerabilities and Exposures list. For more information, including information about updates from Opera Software ASA, see Advisory: Private video streams can be intercepted. The vulnerability in Safari has been assigned the entry, CVE-2010-3259, in the Common Vulnerabilities and Exposures list. For more information, including information about updates from Apple, see Apple Security Updates.
- In order to exploit this vulnerability, an attacker must possess the IP address of the network resource that contains the private information.
- In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.
Purpose of Advisory: To notify users of a vulnerability and its remediation.
Advisory Status: Advisory published.
Recommendation: Review the Suggested Actions section and configure as appropriate.
For more information about this issue, see the following references:
|Common Vulnerabilities and Exposures||CVE-2010-4483 (Google Chrome)|
|Common Vulnerabilities and Exposures||CVE-2010-4046 (Opera)|
|Common Vulnerabilities and Exposures||CVE-2010-3259 (Safari)|
This advisory discusses the following software.
|Google Chrome version 8.0.552.210 and earlier|
|Opera version 10.62 and earlier|
|Safari version 4.1.2 and earlier|
|Safari version 5.0.2 and earlier|
|Safari on iOS version 4.1 and earlier|
|Google Chrome version 8.0.552.215|
|Opera version 10.63|
|Safari version 4.1.3|
|Safari version 5.0.3|
Microsoft thanks the following:
- Nirankush Panchbhai and James Qiu of Microsoft for discovering this issue and the teams at Google Inc., Opera Software ASA, and Apple Inc. for working toward a resolution
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (April 19, 2011): Advisory published.
- V2.0 (May 17, 2011): Added information about the vulnerability in Safari and its remediation.