Apple WebKit dir Attribute Freeing Dangling Object Pointer VulnerabilityZDI-09-033: June 8th, 2009
This vulnerability allows attackers to execute arbitrary code on vulnerable software utilizing the Apple WebKit library. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.
The specific flaw exists when the document.body element contains a specific XML container containing various elements supporting the 'dir' attribute. During the destruction of this element, if the rendering object responsible for the element is being removed, the application will then make a call to a method for an object that doesn't exist which can lead to code execution under the context of the current user.
Vendor ResponseApple has issued an update to correct this vulnerability. More details can be found at:
2009-02-09 - Vulnerability reported to vendor
2009-06-08 - Coordinated public release of advisory
CreditThis vulnerability was discovered by:
wushi&ling of team509