Posts

Apple Safari WebKit Counter Vulnerability (Oct 7, 2010)

Safari is a graphical web browser developed by Apple and included as part of the Mac OS X operating system. Safari became Apple’s default browser beginning with Mac OS X v10.3 “Panther” and it is also the native browser for the iOS. A version of Safari for the Microsoft Windows operating system, first released on June 11, 2007, supports Windows XP, Windows Vista, and Windows 7. As of 2010, Safari is the fourth most widely used browser in the US. Safari offers numerous features such as processing HTML, images, scripting languages, and various other popular Internet specifications.

Safari’s browsing functionality is built on a rendering engine, called WebKit. WebKit has a development toolkit which allows third party developers to build applications that use Internet technologies such as HTML, HTTP, and others. WebKit provides WebCore, an HTML parser, and JavaScriptCore, which is a JavaScript engine. WebKit also supports styling using CSS.

Cascading Style Sheets (CSS) is a style sheet language used to describe the presentation semantics (the look and formatting) of a document written in a markup language. It’s most common application is to style web pages written in HTML and XHTML, but the language can also be applied to any kind of XML document, including SVG and XUL. CSS can define color, font, text alignment, size, borders, spacing, layout and many other typographic characteristics. One of these characteristics is the ability to create counters to count objects. These counters can perform functions such as numbering elements inside a web document. There are several properties associated with counters, counter-reset sets which identifier will be incremented and by what amount; counter-increment actually increments the counter by the specified amount or the default, which is one. The example below numbers the elements inside a list:

    
term
definition
term
definition
term
definition

In the above code, a counter term is created for the list. Next, the numbering scheme is applied to the list, placing a monotonically increasing digit before each item in the list.

A memory corruption vulnerability exists in Apple Safari. The vulnerability is due to an error in the function that destroys a widget. It causes the counter object pointing at invalid memory. A remote attacker can exploit this vulnerability to inject and execute arbitrary code. Any code injected will be executed within the security context of the currently logged in user.

SonicWALL UTM team has researched this vulnerability, and created the following GAV signatures for the exploits.

  • Safari.RenderingCounter.AS.1
  • Safari.RenderingCounter.AS.2

The CVE identifier for this vulnerability is CVE-2010-1784.