CESA-2005-001 - rev 2 Apple Tiger Safari PDF crash (uncharacterized) ============================================== Programs affected: Safari, possibly others. Severity: Unassessed. Discovered date: Apr 30th 2005 Vendor notified date: Apr 30th 2005 Fixed: APPLE-SA-2005-06-08 (http://lists.apple.com/archives/security-announce/2005/Jun/msg00000.html) Whilst playing with the new Tiger release, it was noted that a bad PDF from one of my previous advisories (CESA-2004-007) crashes Safari. Demo PDF: http://scary.beasts.org/misc/bad5.pdf Alternate attack vectors ======================== The attack vector we were actually considering was the PDF indexing of Tiger's new Spotlight functionality. It has not been tested whether this suffers from the name vulnerability. Another interesting test we have not performed is whether a crash occurs when Spotlight is set to index e-mail and the user receives a malicious PDF attachment. CESA-2005-001 - rev 2 Chris Evans scarybeasts@gmail.com