<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>ZDI-10-257: Apple Webkit WholeText Integer Overflow Remote Code Execution Vulnerability<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'><a href="http://www.zerodayinitiative.com/advisories/ZDI-10-257">http://www.zerodayinitiative.com/advisories/ZDI-10-257</a><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>November 23, 2010<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>-- CVE ID:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>CVE-2010-3812<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>-- CVSS:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>-- Affected Vendors:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>Apple<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>-- Affected Products:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>Apple WebKit<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>-- Vulnerability Details:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>This vulnerability allows remote attackers to execute arbitrary code on<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>vulnerable installations of Apple Webkit. User interaction is required<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>to exploit this vulnerability in that the target must visit a malicious<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>page or open a malicious file.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>The specific flaw exists within the wholeText method of the Text<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>element. When calculating the total size of all the text containing it,<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>the application will wrap a 32-bit integer. The application will use<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>this in an allocation and then later use a different value for<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>populating the buffer. This can lead to code execution under the context<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>of the application.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>-- Vendor Response:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>Apple states:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>iOS 4.2: http://support.apple.com/kb/HT4456<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>-- Disclosure Timeline:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>2010-08-12 - Vulnerability reported to vendor<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>2010-11-23 - Coordinated public release of advisory<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>-- Credit:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>This vulnerability was discovered by:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'> * J23 (http://twitter.com/HansJ23)<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>-- About the Zero Day Initiative (ZDI):<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>Established by TippingPoint, The Zero Day Initiative (ZDI) represents <o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>a best-of-breed model for rewarding security researchers for responsibly<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>disclosing discovered vulnerabilities.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>Researchers interested in getting paid for their security research<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>through the ZDI can find more information and sign-up at:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'> http://www.zerodayinitiative.com<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>The ZDI is unique in how the acquired vulnerability information is<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>used. TippingPoint does not re-sell the vulnerability details or any<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>exploit code. Instead, upon notifying the affected product vendor,<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>TippingPoint provides its customers with zero day protection through<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>its intrusion prevention technology. Explicit details regarding the<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>specifics of the vulnerability are not exposed to any parties until<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>an official vendor patch is publicly available. Furthermore, with the<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>altruistic aim of helping to secure a broader user base, TippingPoint<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>provides this vulnerability information confidentially to security<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>vendors (including competitors) who have a vulnerability protection or<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>mitigation product.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>Our vulnerability disclosure policy is available online at:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'> http://www.zerodayinitiative.com/advisories/disclosure_policy/<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'>Follow the ZDI on Twitter:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'> http://twitter.com/thezdi<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>