HTML5 Implementation in Chrome, Opera, and Safari Could Allow Information Disclosure

Executive Summary

Microsoft is providing notification of the discovery and remediation of a vulnerability affecting Google Chrome browser versions 8.0.552.210 and earlier; Opera browser versions 10.62 and earlier; and Safari browser versions 4.1.2 and earlier, Safari browser versions 5.0.2 and earlier, and Safari browser on iOS 4.1 and earlier. Microsoft discovered and disclosed the vulnerability under coordinated vulnerability disclosure to the respective affected vendors, Google Inc., Opera Software ASA, and Apple Inc. Google Inc., Opera Software ASA, and Apple Inc. have remediated the vulnerability in their respective software.

An information disclosure vulnerability exists in the implementation of HTML5 in these Web browsers. Specifically, as the World Wide Web Consortium (W3C) describes in the HTML5 specification for security with canvas elements, information leakage can occur if scripts from one origin can access information from another origin. For more information, see HTML5: A vocabulary and associated APIs for HTML and XHTML, “Security with canvas elements.” An attacker who successfully exploited this vulnerability could obtain private information. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but the attacker could use the information gained to try to further compromise the affected system.

Microsoft Vulnerability Research reported this issue to and coordinated with Google Inc., Opera Software ASA, and Apple Inc. to ensure remediation of this issue. The vulnerability in Google Chrome has been assigned the entry, CVE-2010-4483, in the Common Vulnerabilities and Exposures list. For more information, including information about updates from Google, see Google Chrome Releases: Stable, Beta Channel Updates (December 2, 2010). The vulnerability in Opera has been assigned the entry, CVE-2010-4046, in the Common Vulnerabilities and Exposures list. For more information, including information about updates from Opera Software ASA, see Advisory: Private video streams can be intercepted. The vulnerability in Safari has been assigned the entry, CVE-2010-3259, in the Common Vulnerabilities and Exposures list. For more information, including information about updates from Apple, see Apple Security Updates.

Mitigating Factors

• In order to exploit this vulnerability, an attacker must possess the IP address of the network resource that contains the private information.
• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.