Advisory: International Components for Unicode CVE-2009-0153
15 May 2009
Big ones from Apple today: http://support.apple.com/kb/HT3549
CVE-ID: CVE-2009-0153
Available for: Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Maliciously crafted content may bypass website filters and result in cross-site scripting
Description: An implementation issue exists in ICU’s handling of certain character encodings. Using ICU to convert invalid byte sequences to Unicode may result in over-consumption, where trailing bytes are considered part of the original character. This may be leveraged by an attacker to bypass filters on websites that attempt to mitigate cross-site scripting. This update addresses the issue through improved handling of invalid byte sequences. This issue does not affect systems prior to Mac OS X v10.5. Credit to Chris Weber of Casaba Security for reporting this issue.
CVE-ID: CVE-2009-0153
Available for: Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6
Impact: Maliciously crafted content may bypass website filters and result in cross-site scripting
Description: An implementation issue exists in ICU’s handling of certain character encodings. Using ICU to convert invalid byte sequences to Unicode may result in over-consumption, where trailing bytes are considered part of the original character. This may be leveraged by an attacker to bypass filters on websites that attempt to mitigate cross-site scripting. This update addresses the issue through improved handling of invalid byte sequences. This issue does not affect systems prior to Mac OS X v10.5. Credit to Chris Weber of Casaba Security for reporting this issue.