Executive Summary

Title Apple Safari fails to properly handle a file name
Name VU#529441 First vendor Publication 2008-04-18
Vendor VU-CERT Last vendor Modification 2008-04-18
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#529441

Apple Safari fails to properly handle a file name


A vulnerabilty in Apple Safari handles specially crafted file name may allow execution of arbitrary code or denial of service.

I. Description

According to Apple Safari 3.1.1:

    A memory corruption issue exists in Safari's file downloading. By enticing a user to download a file with a maliciously crafted name, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of file downloads.

Note that this issue only affects Safari on Windows XP or Vista.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code.

III. Solution

Apply Apple Updates
Apple has released an update to address this vulnerability. Refer to Apple Safari 3.1.1.

Disable Open “safe” files after downloading option

For instructions on how to disable the Open “safe” files after downloading option in Safari, please refer to the Safari section of the Securing Your Web Browser document.

Do not access files from untrusted sources

Do not download files from unknown or untrusted sources. Do not open unfamiliar or unexpected links, particularly those delivered in email messages. Please see Cyber Security Tip ST04-014.

Systems Affected

VendorStatusDate Updated
Apple Computer, Inc.Vulnerable18-Apr-2008




This issue is addressed by Apple Safari 3.1.1.

This document was written by Chris Taschner.

Other Information

Date Public04/16/2008
Date First Published04/18/2008 01:30:26 PM
Date Last Updated04/18/2008
CERT Advisory 
CVE NameCVE-2008-1024
US-CERT Technical Alerts 
Document Revision12

Original Source

Url : http://www.kb.cert.org/vuls/id/529441

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-399 Resource Management Errors

CPE : Common Platform Enumeration

Application 2

Open Source Vulnerability Database (OSVDB)

Id Description
43634 Apple Safari ZIP Archive Name Handling Memory Corruption

Nessus® Vulnerability Scanner

Date Description
2008-04-18 Name : The remote host contains a web browser that is affected by several issues.
File : safari_3_1_1.nasl - Type : ACT_GATHER_INFO