CVE-2009-2841

Name of the Vulnerable Software and Affected Versions Apple Safari versions prior to 4.0.4

Description The issue concerns the HTMLMediaElement::loadResource function in WebCore in WebKit, which does not perform the expected callbacks for HTML 5 media elements with external URLs for media resources. This allows remote attackers to trigger sub-resource requests to arbitrary web sites via a crafted HTML document. An example of exploitation is through an HTML e-mail message that uses a media element for X-Confirm-Reading-To functionality.

Recommendations For Apple Safari versions prior to 4.0.4, update to version 4.0.4 or later to resolve the issue.