Packet Storm made public today a proof-of-concept exploiting a known and patched heap buffer overflow vulnerability in Apple’s Safari browser.

Packet Storm acquired the details of the exploit, which affects Safari version 6.0.1 and possibly earlier versions as well for iOS 6 and OS X 10.7 and 10.8 (Lion and Mountain Lion respectively), from independent security researcher Vitaliy Toropov through their bug bounty program.

The vulnerability is related to the “WebKit’s JavaScriptCore JSArray::sort(…) method.” This method, according to the posting on Packet Storm, accepts the user-defined JavaScript functions and calls from native code to compare array items. In the event that the array length for one of these comparison functions is reduced, it becomes possible for any array items following it to be written outside the “m_storage->m_vector[]” buffer, which could allow for the heap memory corruption.

“The exploit for this vulnerability is a JavaScript code which shows how to use it for memory corruption of internal JS objects (Unit32Array and etc.) and subsequent arbitrary code execution (custom ARM/x64 payloads can be pasted into the JS code),” Toropov explained in his proof-of-concept write-up.

Apple patched the buffer overflow vulnerability that this proof-of-concept exploits back in November 2012, so the only Apple users potentially affected by an attack deploying this exploit would be those that have not updated from OS X 10.7 and 10.8 and iOS 6.0.1.

Of course, exploits of known and even patched vulnerabilities are used by cybercriminals and malware and exploit kit creators far more than zero-days. Such attacks are effective because computer users are notoriously stubborn about installing software updates. It’s hard to say just how many Safari users are vulnerable to this attack, but, according to technology research firm Net Market Share, more than one percent of all users on the Internet are browsing with Safari 5.1 and are therefore potentially vulnerable. Beyond that, Net Market Share’s figures indicate that nearly 3.5 percent of Web users surf with Safari 6.0 or better. Any of those that failed top update from 6.01 would remain vulnerable.

Categories: Apple

Comments (2)

  1. applejack
    1

    Currently apx 25% of millions of Mac users are on OS X10.6 due to legacy PPC software support and still very capable hardware that’s only at least a mere two years old (10.7 released June 2011). The stock browser is Safari 5.x, there is no 6.01 for 10.6. These intentional security laspes are a matter of buisness policy with Apple as a means to force paid OS upgrades, deny PPC software support and hobble hardware to force a higher turnover rate.

    Apple used to only support the last two OS X versions, but since Flashback pwned Cupertino and 750,000 Mac’s via Java 6 which Apple maintains, they have been maintaining 10.6, but not Safari 5. Apple is trying to force 10.6 holdouts to upgrade to 10.8 (10.9 in Sept) but only offer the newest version in their aapstore which many machines can’t be updated to.

    So like before the stage is set by Apple to reap the benefits of malware targeting their platform but not letting it get out of control like Flashback did. Why a hardware company can’t be trusted.

  2. applejack
    2

    Hardware doesn’t last forever, users expect to use the software that comes on the machine and in general are not geeks and don’t like risking problemactic OS upgrades which in the case of firmware and drivers can brick the machine. Apple should be forced to provide security patches for any software more than 5% in active use on their or what they have on Windows platforms.But since they won’t it’s a green light for hacking which they should be held liable.

    It’s preaty easy for Apple to maintain their software in in active use, they chose not to unless something forces their hand, like bad press.

Comments are closed.