Microsoft Vulnerability Research Advisory MSVR11-002

HTML5 Implementation in Chrome, Opera, and Safari Could Allow Information Disclosure

Published: April 19, 2011 | Updated: May 17, 2011

Version: 2.0

Overview

Executive Summary

Microsoft is providing notification of the discovery and remediation of a vulnerability affecting Google Chrome browser versions 8.0.552.210 and earlier; Opera browser versions 10.62 and earlier; and Safari browser versions 4.1.2 and earlier, Safari browser versions 5.0.2 and earlier, and Safari browser on iOS 4.1 and earlier. Microsoft discovered and disclosed the vulnerability under coordinated vulnerability disclosure to the respective affected vendors, Google Inc., Opera Software ASA, and Apple Inc. Google Inc., Opera Software ASA, and Apple Inc. have remediated the vulnerability in their respective software.

An information disclosure vulnerability exists in the implementation of HTML5 in these Web browsers. Specifically, as the World Wide Web Consortium (W3C) describes in the HTML5 specification for security with canvas elements, information leakage can occur if scripts from one origin can access information from another origin. For more information, see HTML5: A vocabulary and associated APIs for HTML and XHTML, "Security with canvas elements." An attacker who successfully exploited this vulnerability could obtain private information. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but the attacker could use the information gained to try to further compromise the affected system.

Microsoft Vulnerability Research reported this issue to and coordinated with Google Inc., Opera Software ASA, and Apple Inc. to ensure remediation of this issue. The vulnerability in Google Chrome has been assigned the entry, CVE-2010-4483, in the Common Vulnerabilities and Exposures list. For more information, including information about updates from Google, see Google Chrome Releases: Stable, Beta Channel Updates (December 2, 2010). The vulnerability in Opera has been assigned the entry, CVE-2010-4046, in the Common Vulnerabilities and Exposures list. For more information, including information about updates from Opera Software ASA, see Advisory: Private video streams can be intercepted. The vulnerability in Safari has been assigned the entry, CVE-2010-3259, in the Common Vulnerabilities and Exposures list. For more information, including information about updates from Apple, see Apple Security Updates.

Mitigating Factors

  • In order to exploit this vulnerability, an attacker must possess the IP address of the network resource that contains the private information.
  • In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.

Advisory Details

Purpose and Recommendation

Purpose of Advisory: To notify users of a vulnerability and its remediation.

Advisory Status: Advisory published.

Recommendation: Review the Suggested Actions section and configure as appropriate.

Issue References

For more information about this issue, see the following references:

Reference Identification
Common Vulnerabilities and Exposures CVE-2010-4483 (Google Chrome)
Common Vulnerabilities and Exposures CVE-2010-4046 (Opera)
Common Vulnerabilities and Exposures CVE-2010-3259 (Safari)

Affected and Non-Affected Software

This advisory discusses the following software.

Affected Software
Google Chrome version 8.0.552.210 and earlier
Opera version 10.62 and earlier
Safari version 4.1.2 and earlier
Safari version 5.0.2 and earlier
Safari on iOS version 4.1 and earlier
Non-Affected Software
Google Chrome version 8.0.552.215
Opera version 10.63
Safari version 4.1.3
Safari version 5.0.3

Frequently Asked Questions

What is the scope of this advisory?
This advisory is part of a coordinated release with affected vendors to inform customers of a security issue that may affect their systems.

Is this a security vulnerability that requires Microsoft to issue a security update?
No. This vulnerability has been fixed via an update from the affected third-party vendors. The update remediates the software listed in the table, Affected Software.

What is the scope of the vulnerability?
This is an information disclosure vulnerability. An attacker who successfully exploited this vulnerability would be able to obtain private information.

What causes the vulnerability?
When browsing certain Web sites, Google Chrome, Opera, and Safari may not validate the origin of specific canvas elements. An attacker in possession of the IP address of a network resource could exploit the vulnerability to obtain private information stored on the network resource.

What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could obtain private information on a network resource. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but the attacker could use the information gained to try to further compromise the affected system.

How could an attacker exploit the vulnerability?
An attacker could host a specially crafted Web site that is designed to exploit this vulnerability and then convince a user to visit the Web site. This could also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit these vulnerabilities. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

Suggested Actions

Apply the vendor-supplied updates or upgrade to a version that is not affected by this vulnerability.

For more information, including information about updates from Google Inc., see Google Chrome Releases: Stable, Beta Channel Updates (December 2, 2010).

For more information, including information about updates from Opera Software ASA, see Advisory: Private video streams can be intercepted.

For more information, including information about updates from Apple, see Apple Security Updates.

Other Information

Acknowledgments

Microsoft thanks the following:

  • Nirankush Panchbhai and James Qiu of Microsoft for discovering this issue and the teams at Google Inc., Opera Software ASA, and Apple Inc. for working toward a resolution

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (April 19, 2011): Advisory published.
  • V2.0 (May 17, 2011): Added information about the vulnerability in Safari and its remediation.

Built at 2014-04-18T13:49:36Z-07:00