VUPEN Security Research - Apple Safari ColorSync Profile Integer Overflow 
Vulnerability

http://www.vupen.com/english/research.php


I. BACKGROUND
---------------------

"Safari is a web browser developed by Apple. As of February 2010,
Safari was the fourth most widely used browser, with 4.45% of the
worldwide usage share of web browsers according to Net Application."


II. DESCRIPTION
--------------------- 

VUPEN Vulnerability Research Team discovered a vulnerability in
Apple Safari.

The flaw is caused by an integer overflow error in ColorSync when
processing certain images with an embedded color profile, which
could be exploited by attackers to potentially execute arbitrary
code via a specially crafted web page.



III. AFFECTED PRODUCTS
--------------------------------

Apple Safari versions prior to 4.0.5



IV. Exploits - PoCs & Binary Analysis
----------------------------------------

In-depth binary analysis of the vulnerability and a proof-of-concept
have been released by VUPEN through the VUPEN Binary Analysis
& Exploits Service :

http://www.vupen.com/exploits


V. SOLUTION
---------------- 

Upgrade to Apple Safari 4.0.5:
http://www.apple.com/safari/download/


VI. CREDIT
-------------- 

The vulnerability was discovered by Sebastien Renaud of VUPEN Security


VII. ABOUT VUPEN Security
---------------------------------

VUPEN is a leading IT security research company providing vulnerability
management and security intelligence solutions which enable enterprises
and institutions to eliminate vulnerabilities before they can be
exploited, ensure security policy compliance and meaningfully measure
and manage risks.

VUPEN also provides in-depth binary analysis of vulnerabilities and
commercial-grade exploit codes to help security vendors, governments,
and corporations to evaluate and qualify risks, and protect their
infrastructures and assets.

* VUPEN Vulnerability Notification Service:

http://www.vupen.com/english/services

* VUPEN Binary Analysis & Exploits Service :

http://www.vupen.com/exploits


VIII. REFERENCES
----------------------

http://www.vupen.com/english/advisories/2010/0599
http://support.apple.com/kb/HT4070
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0040



IX. DISCLOSURE TIMELINE
----------------------------------- 

2009-12-03 - Vendor notified
2009-12-07 - Vendor response
2010-01-26 - Status update received
2010-03-04 - Status update received
2010-03-12 - Coordinated public Disclosure