Apple Safari Button Rendering Code Execution (Aug 25, 2010)


Safari is a graphical web browser developed by Apple and included as part of the Mac OS X operating system. The browser is capable of processing HTML, images, scripting languages, and various other popular Internet specifications such as XHTML. Its rendering engine, called WebKit, is also running in the standard browsers of several mobile phone platforms, including the iPhone OS, Google Android, Nokia S60 and Palm WebOS. WebKit has a development toolkit which allows third party developers to build applications that use Internet technologies such as HTML, HTTP, and others. WebKit provides WebCore, an HTML parser, and JavaScriptCore, which is a JavaScript engine. WebKit also supports styling using CSS.

Cascading Style Sheets (CSS) is a style sheet language used to describe the presentation semantics (the look and formatting) of a document written in a markup language. Its most common application is to style web pages written in HTML and XHTML, but the language can also be applied to any kind of XML document, including SVG and XUL. CSS can define color, font, text alignment, size, borders, spacing, layout and many other typographic characteristics. It can do so independently for on-screen and printed views. One of these characteristics is the first-letter pseudo-element which affects the first character of a paragraph. The following example uses the first-letter pseudo-element to change the color of the first letter of the paragraph on the body:

 < html > < head > < style type="text/css" > p:first-letter { color:#ff0000; font-size:xx-large; display:none; } < / style > < / head > < body > < p >The first letter of this text is red! < / p > < / body > < / html > 

A design error exists in Safari WebKit. The vulnerability is due to an implementation error when rendering elements with a specific CSS display property for the first-letter set. Remote attackers could exploit this vulnerability by persuading a target user to visit a maliciously crafted web page. Successful exploitation would result in code execution with the privileges of the logged in user. In case of an unsuccessful attack, the associated browser tab will terminate abnormally and then the browser will recover it.

SonicWALL UTM team has researched this vulnerability, and created the following IPS signatures for the public exploits:

  • 5563 Apple Safari Button Rendering Code Execution PoC 1
  • 5564 Apple Safari Button Rendering Code Execution PoC 2

The CVE identifier for this vulnerability is CVE-2010-1392.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.