‘WebKit WBR Tag Removal Code Execution Vulnerability’

Summary

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Webkit.’

Credit:

‘The information has been provided by Vupen Security.
The original article can be found at: http://www.zerodayinitiative.com/advisories/ZDI-11-135/


Details

Vulnerable Systems:
 * WebKit WebKit

User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the way the Webkit library handles WBR tags on a webpage. By adding children to a WBR tag and then consequently removing the tag through, for example, a ‘removeChild’ call it is possible to create a dangling pointer that can result in remote code execution under the context of the current user.

Patch Availability:
Google patch on March 12, 2011:
http://googlechromereleases.blogspot.com/2011/03/stable-and-beta-channel-updates.html

Apple patch on April 14, 2011:
http://support.apple.com/kb/HT4606
http://support.apple.com/kb/HT4607
http://support.apple.com/kb/HT4596

Webkit fix:
http://trac.webkit.org/changeset/79689

CVE Information:
CVE-2011-1344

Disclosure Timeline:
2011-03-31 – Vulnerability reported to vendor
2011-04-14 – Coordinated public release of advisory’

Categories: UNIX