search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Apple Safari window object invalid pointer vulnerability

Vulnerability Note VU#943165

Original Release Date: 2010-05-10 | Last Revised: 2010-07-27

Overview

Apple Safari contains a vulnerability in the handling of window objects, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Apple Safari fails to properly handle references to window objects. Safari can allow a window object to be deleted, while references to the object may still exist. If JavaScript code then attempts to use the deleted window object, this can result in the use of an invalid pointer. This pointer can be controlled by an attacker through the use of JavaScript.

Exploit code for this vulnerability is publicly available. We have confirmed Apple Safari 4.0.5 on the Windows platform to be vulnerable. Other versions may also be affected.

Impact

By convincing a victim to view an HTML document (webpage, HTML email, or email attachment) with Apple Safari, an attacker could run arbitrary code with the privileges of the user running the application.

Solution

Apply an update
This issue is addressed in Safari 5.0 and 4.1. Please see Apple document HT4196 for more details.

Disable JavaScript


This issue can be mitigated by disabling JavaScript in Apple Safari. Please see the Securing Your Web Browser document for more details.

Do not follow unsolicited links

In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Vendor Information

943165
 
Affected   Unknown   Unaffected

Apple Inc.

Updated:  July 27, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

This issue is addressed in Safari 5.0 and 4.1. Please see Apple document HT4196 for more details.

Vendor References

http://support.apple.com/kb/HT4196

Addendum

This issue can be mitigated by disabling JavaScript in Apple Safari. Please see the Securing Your Web Browser document for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was publicly disclosed by Krystian Kloskowski.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2010-1939, CVE-2010-1750
Severity Metric: 20.41
Date Public: 2010-05-07
Date First Published: 2010-05-10
Date Last Updated: 2010-07-27 11:56 UTC
Document Revision: 16

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.