Vulnerability Name:

CVE-2008-2540 (CCN-42765)

Assigned:2008-05-30
Published:2008-05-30
Updated:2019-02-26
Summary:Apple Safari on Mac OS X, and before 3.1.2 on Windows, does not prompt the user before downloading an object that has an unrecognized content type, which allows remote attackers to place malware into the (1) Desktop directory on Windows or (2) Downloads directory on Mac OS X, and subsequently allows remote attackers to execute arbitrary code on Windows by leveraging an untrusted search path vulnerability in (a) Internet Explorer 7 on Windows XP or (b) the SearchPath function in Windows XP, Vista, and Server 2003 and 2008, aka a "Carpet Bomb" and a "Blended Threat Elevation of Privilege Vulnerability," a different issue than CVE-2008-1032.
Note: Apple considers this a vulnerability only because the Microsoft products can load application libraries from the desktop and, as of 20080619, has not covered the issue in an advisory for Mac OS X.
CVSS v3 Severity:9.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
6.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
7.6 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C)
5.6 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-264
Vulnerability Consequences:Gain Access
References:Source: MISC
Type: Third Party Advisory
http://aviv.raffon.net/2008/05/31/SafariPwnsInternetExplorer.aspx

Source: MISC
Type: Third Party Advisory
http://blogs.zdnet.com/security/?p=1230

Source: MITRE
Type: CNA
CVE-2008-2540

Source: APPLE
Type: Mailing List, Vendor Advisory
APPLE-SA-2008-06-19

Source: CCN
Type: SA30467
Apple Safari on Windows Code Execution Vulnerability

Source: SECUNIA
Type: Third Party Advisory
30467

Source: CCN
Type: SECTRACK ID: 1020150
Apple Safari for Windows XP and Vista Lets Remote Users Download Files

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1020150

Source: CCN
Type: SECTRACK ID: 1022047
Microsoft Windows SearchPath Function May Let Remote Users Execute Arbitrary Code

Source: CONFIRM
Type: Third Party Advisory
http://support.avaya.com/elmodocs2/security/ASA-2009-133.htm

Source: CCN
Type: ASA-2009-133
MS09-014 Cumulative Security Update for Internet Explorer (963027)

Source: CCN
Type: ASA-2009-138
MS09-015 Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426)

Source: CCN
Type: NORTEL BULLETIN ID: 2009009451, Rev 1
Nortel Response to Microsoft Security Bulletin MS09-014

Source: CONFIRM
Type: Third Party Advisory
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=871138

Source: MISC
Type: Broken Link
http://www.dhanjani.com/archives/2008/05/safari_carpet_bomb.html

Source: CCN
Type: Microsoft Security Advisory (953818)
Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform

Source: MISC
Type: Mitigation, Patch, Vendor Advisory
http://www.microsoft.com/technet/security/advisory/953818.mspx

Source: CCN
Type: Microsoft Security Bulletin MS09-014
Cumulative Security Update for Internet Explorer (963027)

Source: CCN
Type: Microsoft Security Bulletin MS09-015
Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426)

Source: BID
Type: Third Party Advisory, VDB Entry
29445

Source: CCN
Type: BID-29445
Apple Safari and Microsoft Windows Client-side Code Execution Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1022047

Source: CERT
Type: Third Party Advisory, US Government Resource
TA09-104A

Source: VUPEN
Type: Broken Link
ADV-2008-1706

Source: VUPEN
Type: Broken Link
ADV-2009-1028

Source: VUPEN
Type: Broken Link
ADV-2009-1029

Source: MS
Type: UNKNOWN
MS09-014

Source: MS
Type: UNKNOWN
MS09-015

Source: XF
Type: Third Party Advisory, VDB Entry
apple-safari-windows-code-execution(42765)

Source: XF
Type: UNKNOWN
apple-safari-windows-code-execution(42765)

Source: OVAL
Type: Third Party Advisory
oval:org.mitre.oval:def:5782

Source: OVAL
Type: Third Party Advisory
oval:org.mitre.oval:def:6108

Source: OVAL
Type: Third Party Advisory
oval:org.mitre.oval:def:8509

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apple:safari:*:*:*:*:*:*:*:* (Version < 3.1.2)
  • AND
  • cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:7:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2003:*:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:microsoft:internet_explorer:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.4_beta:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.0.1:beta:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:3.1.1:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:x32:*
  • AND
  • cpe:/o:microsoft:windows_2000:-:sp4:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:xp:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:2003_server:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:2003_server:sp1_itanium:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:sp2:itanium:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:sp2:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:*:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp::sp2:x64:*:professional:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:sp1:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003::x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:itanium:*
  • OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows:xp:sp3:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:8509
    V
    Blended Threat Remote Code Execution Vulnerability
    2014-08-18
    BACK
    apple safari *
    microsoft windows server 2008 *
    microsoft internet explorer 7
    microsoft windows xp -
    microsoft windows vista -
    microsoft windows server 2003 *
    microsoft ie 7.0
    apple safari 3.0.3
    apple safari 3.0.4_beta
    apple safari 3.1
    apple safari 3.0.1 beta
    apple safari 3.1.1
    microsoft windows server 2008 -
    microsoft windows 2000 - sp4
    microsoft windows xp sp2
    microsoft windows 2003_server sp1
    microsoft windows 2003_server sp1_itanium
    microsoft windows vista *
    microsoft windows server_2003 sp2
    microsoft windows server_2003 sp2
    microsoft windows server_2003 sp2
    microsoft windows vista -
    microsoft windows xp sp2
    microsoft windows vista - sp1
    microsoft windows vista - sp1
    microsoft windows server_2003
    microsoft windows server 2008 -
    microsoft windows server 2008 -
    microsoft windows xp sp3