|
|
| |
Credit:
The information has been provided by wushi.
The original article can be found at: http://www.zerodayinitiative.com/advisories/ZDI-10-029/
|
| |
Vulnerable Systems:
* Apple WebKit on Mac OS X v10.4.11
* Apple WebKit on Mac OS X Server v10.4.11
* Apple WebKit on Mac OS X v10.5.8
* Apple WebKit on Mac OS X Server v10.5.8
* Apple WebKit on Mac OS X v10.6.1 or later
* Apple WebKit on Mac OS X Server v10.6.1
* Apple WebKit on Windows 7
* Apple WebKit on Windows Vista
* Apple WebKit on Windows XP
User interaction is required to exploit this vulnerability in that the target must visit a malicious page.
The specific flaw exists in the WebCore's HTMLObjectElement::renderFallBackContent() method. By rewriting an HTML element via the document's innerHTML() method a memory corruption occurs resulting from a call-after-free. This can be leveraged to execute arbitrary code under the context of the current user.
A use-after-free issue exists in the handling of HTML object element fallback content. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking.
Patch Availability:
Apple has issued an update to correct this vulnerability. More details can be found at:
http://support.apple.com/kb/HT4070
CVE Information:
CVE-2010-0047
Disclosure Timeline:
2009-10-21 - Vulnerability reported to vendor
2010-03-15 - Coordinated public release of advisory
|
|
|
