Packet Storm made public today a proof-of-concept exploiting a known and patched heap buffer overflow vulnerability in Apple’s Safari browser.
Packet Storm acquired the details of the exploit, which affects Safari version 6.0.1 and possibly earlier versions as well for iOS 6 and OS X 10.7 and 10.8 (Lion and Mountain Lion respectively), from independent security researcher Vitaliy Toropov through their bug bounty program.
The vulnerability is related to the “WebKit’s JavaScriptCore JSArray::sort(…) method.” This method, according to the posting on Packet Storm, accepts the user-defined JavaScript functions and calls from native code to compare array items. In the event that the array length for one of these comparison functions is reduced, it becomes possible for any array items following it to be written outside the “m_storage->m_vector[]” buffer, which could allow for the heap memory corruption.
“The exploit for this vulnerability is a JavaScript code which shows how to use it for memory corruption of internal JS objects (Unit32Array and etc.) and subsequent arbitrary code execution (custom ARM/x64 payloads can be pasted into the JS code),” Toropov explained in his proof-of-concept write-up.
Apple patched the buffer overflow vulnerability that this proof-of-concept exploits back in November 2012, so the only Apple users potentially affected by an attack deploying this exploit would be those that have not updated from OS X 10.7 and 10.8 and iOS 6.0.1.
Of course, exploits of known and even patched vulnerabilities are used by cybercriminals and malware and exploit kit creators far more than zero-days. Such attacks are effective because computer users are notoriously stubborn about installing software updates. It’s hard to say just how many Safari users are vulnerable to this attack, but, according to technology research firm Net Market Share, more than one percent of all users on the Internet are browsing with Safari 5.1 and are therefore potentially vulnerable. Beyond that, Net Market Share’s figures indicate that nearly 3.5 percent of Web users surf with Safari 6.0 or better. Any of those that failed top update from 6.01 would remain vulnerable.