Packet Storm made public today a proof-of-concept exploiting a known and patched heap buffer overflow vulnerability in Apple’s Safari browser.
Packet Storm acquired the details of the exploit, which affects Safari version 6.0.1 and possibly earlier versions as well for iOS 6 and OS X 10.7 and 10.8 (Lion and Mountain Lion respectively), from independent security researcher Vitaliy Toropov through their bug bounty program.
Apple patched the buffer overflow vulnerability that this proof-of-concept exploits back in November 2012, so the only Apple users potentially affected by an attack deploying this exploit would be those that have not updated from OS X 10.7 and 10.8 and iOS 6.0.1.
Of course, exploits of known and even patched vulnerabilities are used by cybercriminals and malware and exploit kit creators far more than zero-days. Such attacks are effective because computer users are notoriously stubborn about installing software updates. It’s hard to say just how many Safari users are vulnerable to this attack, but, according to technology research firm Net Market Share, more than one percent of all users on the Internet are browsing with Safari 5.1 and are therefore potentially vulnerable. Beyond that, Net Market Share’s figures indicate that nearly 3.5 percent of Web users surf with Safari 6.0 or better. Any of those that failed top update from 6.01 would remain vulnerable.