Advisory: International Components for Unicode – Maliciously crafted content may bypass website filters and result in cross-site scripting

Update from: http://support.apple.com/kb/HT3613

CVE-ID: CVE-2009-0153

Available for: Windows XP or Vista

Impact: Maliciously crafted content may bypass website filters and result in cross-site scripting

Description: An implementation issue exists in ICU’s handling of certain character encodings. Using ICU to convert invalid byte sequences to Unicode may result in over-consumption, where trailing bytes are considered part of the original character. This may be leveraged by an attacker to bypass filters on websites that attempt to mitigate cross-site scripting. This update addresses the issue through improved handling of invalid byte sequences. For Mac OS X v10.5 systems, this issue is addressed in Mac OS X v10.5.7. Credit to Chris Weber of Casaba Security for reporting this issue.