|
|
|
|
| |
Credit:
The information has been provided by wushi&ling of team509.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=803
|
| |
Vulnerable Systems:
* Apple WebKit-r42162
* Google Chrome version 1.0.154.53
* Apple Safari version3.2.1 (5525.27.1)
The vulnerability occurs when JavaScript code is used to set a certain property of an HTML tag within a web page. When JavaScript code sets this property, child elements of the tag are freed. However, when an error in the remaining HTML is encountered, these previously freed tag values are referenced. The freed memory is then treated as a C++ object, which can lead to attacker controlled values being used as function pointers.
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user viewing the web page. To exploit this vulnerability, a targeted user must load a malicious web page created by an attacker. An attacker typically accomplishes this via social engineering or injecting content into compromised, trusted sites. After the user visits the malicious web page, no further user interaction is needed.
WebKit is used by multiple applications, including Google Chrome and Apple Safari (including Safari on the iPhone). Affected versions are listed in the Detection field of this report.
Patch Availability:
Apple Inc. has released a patch which addresses this issue. For more information, consult their advisory at the following URL:
http://support.apple.com/kb/HT3613
Workaround:
Disabling JavaScript will prevent exploitation of this vulnerability.
CVE Information:
CVE-2009-1690
Disclosure Timeline:
04/13/2009 - Initial Contact
04/14/2009 - Initial response
04/22/2009 - PoC Requested
04/23/2009 - PoC Sent
05/18/2009 - Apple inquiry about Safari 4
05/21/2009 - Responded to Apple inquiry
06/08/2009 - Coordinated public disclosure
|
|
|
|
|
