n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2009.006 23-Jun-2009 _______________________________________________________________________ Vendor: Apple Inc., http://www.apple.com Affected Products: Safari Browser 3.2.3 all platforms Vulnerability: Null pointer dereference lead to DoS Risk: MEDIUM _______________________________________________________________________ Vendor communication: 2009/06/07 Bug found 2009/06/08 Preparing PoC's and problem description for three bug classes (n.runs-SA-2009.004 - n.runs-SA-2009.006); writing initial email 2009/06/08 Apple releases Safari 4.0 [1] 2009/06/09 Sending initial email in midnight hour (UTC/GMT +2 hours) 2009/06/09 Bot reply mail delivered; received Follow-Up ID 2009/06/09 Due to a press release n.runs is now aware of new release; testing three PoC's; two of them seems to be fixed 2009/06/10 Apple replies and outlining "to take any report of a potential security issue very seriously." Asking for PoC's 2009/06/10 Sending all PoC's with further description and outlining at the time of writing the initial email, n.runs was aware of new Safari release. Two PoC's (n.runs-SA-2009.005 and n.runs-SA-2009.006) are not working with new Safari release but asking to have a closer look into it. 2009/06/11 Apple response two PoC's are not working on the latest release, so Apple don't see the need for any further action. With regards to n.runs-SA-2009.004, Apple acknowledge the issue still affects Safari 4 and is looking to fix it. 2009/06/15 n.runs informs Apple to release this advisory due to time difference 2009/06/23 n.runs releases this advisory _______________________________________________________________________ Overview: Quoting http://www.apple.com/safari/: "What is Safari ? It's a browser. It's a platform. It's an open invitation to innovate. Whether on a Mac, PC, iPhone, or iPod touch, Safari continuously redefines the browser, providing the most enjoyable way to experience the Internet." Description: A Null Class Pointer Dereference in CoreFoundation.dll has been found while parsing a URL fragment with a high-bit character in a common protocol handler. In detail, the following flaw was determined: - Safari crashes in method CFCharacterSetInitInlineBuffer because the first passed pointer argument (stored in ecx) was not sanized. Hence dereferencing a null pointer Sarafi will crash. Excerpt from stack trace: CoreFoundation!CFCharacterSetInitInlineBuffer+0x357 CoreFoundation!CFURLCopyFileSystemPath+0xf3 CoreFoundation!CFURLGetWideFileSystemRepresentation+0x23 CFNetwork!CFHTTPMessageSendRequest+0x6e4 CFNetwork!CFHTTPMessageSendRequest+0x96e CFNetwork!CFHTTPMessageSendRequest+0xad2 CFNetwork!CFURLConnectionSendSynchronousRequest+0x8d7 CFNetwork!CFStreamErrorFromCFError+0x9a0 ntdll!RtlpAllocateFromHeapLookaside+0x42 ntdll!RtlAllocateHeap+0x1c2 Impact An attacker could trigger the vulnerability by constructing a specially prepared website. When a user views the web page an unexpected application termination occurs. Kindly note: Whether this circumstance leads to an exploitable condition was not closer investigated. Solution: Apple has issued an update to correct this vulnerability. For detailed information about the fixes follow the link in References [1] section of this document. _______________________________________________________________________ Credit: Bugs found by Alexios Fakos of n.runs AG. _______________________________________________________________________ References: [1] http://support.apple.com/kb/HT3613 This Advisory and Upcoming Advisories: http://www.nruns.com/security_advisory.php _______________________________________________________________________ Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact security@nruns.com for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages. Copyright 2009 n.runs AG. All rights reserved. Terms of use apply.